search

luolingchun / flask-openapi3

Generate REST API and OpenAPI documentation for your Flask project.
https://luolingchun.github.io/flask-openapi3/
MIT License
203 stars 33 forks source link

Query model extra='forbid' not honored #198

Open puittenbroek opened 4 days ago

puittenbroek commented 4 days ago

We currently also use flask_pydantic since that was our first step into getting pydantic incorporated into flask.

It's validate function uses the pydantic model for the query as-is to check the incoming query parameters. Via

In our project we do the following:

from pydantic import BaseModel, ConfigDict, Field

class MyQueryParams(BaseModel):
    model_config = ConfigDict(extra="forbid")
    some_id: str = Field(default_factory=lambda: None, description="some id")

While using flask_pydantic's validate; passing any unknown fields will cause a ValidationError, which is very desirable for many.

But in flask-openapi3 the _validate_query pre-processes in the incoming data and does all sort of things. But effectively filters out any unknown query parameters, which prevents the validation error.

In my opinion, the _validate_query should simply let the pydantic model do the validation. Similar to the _validate_path.

The function seems overly complex. Just do this:

def _validate_query(query: Type[BaseModel], func_kwargs: dict):
    func_kwargs["query"] = query.model_validate(obj=request.args)
ddorian commented 2 days ago

In my opinion, the _validate_query should simply let the pydantic model do the validation.

This works until you need to do arrays, or complex parameters style defined in Openapi.

It would be great if this type of parsing was moved elsewhere though (like in pydantic?)

There should be a general library that parses form, query, path, headers for openapi3 different style parameters.

Have to be looked how other frameworks do it like fastapi or litestar.