parameter fails to validate when specified as a $ref

kogosoftwarellc / open-api

A Monorepo of various packages to power OpenAPI in node

MIT License

894 stars 236 forks source link

parameter fails to validate when specified as a $ref #483

Open cdimascio opened 5 years ago

cdimascio commented 5 years ago

Parameters specified as a $ref are not validated

Here is an example

Define the following parameter under components.parameters

components:
  parameters:
    id:
      name: id
      in: path
      description: ID of pet to fetch
      required: true
      schema:
        type: integer
        format: int64

Use the parameter in a route:

paths:
  /pets/{id}:
    get:
      description: Returns a user based on a single ID, if the user does not have access to the pet
      operationId: find pet by id
      parameters:
        - $ref: '#/components/parameters/id'

The component #/components/parameters/id' is not validated. It works if the component is placed inline without using a ref. This is not desirable given parameters may be specified generally as a ref

giowe commented 4 years ago

jsdevel commented 4 years ago

feel free to open a pr

jberger commented 4 years ago

This is a major issue for us at $work, I'm really quite surprised that it seemingly isn't an issue for more users. I'm happy to do the work to fix it but I must admit I've had a hard time tracking down where the resolution of that ref would happen. Can someone give me some pointers for where to start looking?

jsdevel commented 4 years ago

@jberger i'd look at the parameters package, and the request validation package.

jberger commented 4 years ago

I had assumed there was a centralized $ref parser in action somewhere. After finding a series of commits that enabled $ref in response bodies (I think it was) I've decided that I'm not the right person to poke this particular $ref bug. For the future reader, I've switched to pre-parsing my schema doc with json-schema-ref-parser and then passing that to express-openapi. It seems to work well for me so far. Cheers.

Gabrirf commented 3 years ago

I think this is another case of this kind of error, since @jberger said that is a centralized error.

openapi: 3.0.1
info:
  title: Herency Example
  version: 1.0.0
paths: {}
components:
  schemas:
    ItemBase:
      type: object
      properties:
        name:
          type: string
    Item:
      allOf:
        - $ref: '#/components/schemas/ItemBase'
        - type: object
          properties:
            color:
              type: string
        - required: [name]
        - additionalProperties: false

If I try to validate a body with the key name it fails because additionalProperties: false. But if I don't send name, it fails because it's required.

I guess that is because is reading only in his schema level, and is not recursive the validation.

But the schema is well formed, in the Swagger UI you can see it full.