Open masnormen opened 11 months ago
Hi! @masnormen
You are correct, Hono's Validator does not validate the response. What Zod OpenAPI does now is very loose validation. I would like to think about this issue. Thanks.
Hi. I've found a solution for this issue and would like to propose a PR soon. Thanks for the response!
Great! Waiting!
Hi, I'm having a problem making sure the return type of a handler to be as strict as the defined zod schema in
createRoute
. Consider the following code:However, it seems that
zod-openapi
doesn't do a type parse/validation on return type. The following handler which returns an extra property/key also works, and doesn't throw an error:This could make the API less safe/secure. For example after fetching user data from a DB table, the developer could accidentally return the user data without omitting the password fields first, because TypeScript doesn't complain about the extra "password" field.
I think this is related to the usage of
z.infer
in theOutputType<R>
type, which I guess can be fixed by either:z.parse()
on the response) (using an extra middleware?)Is there a workaround for making sure the type is exactly the same? Or is there something I'm missing? Anyway thank you for the amazing works!