Closed FrederickRauh closed 2 years ago
stevehu
commented
2 years ago In production, the service validation should be fail-fast in order to make the attacks more difficult. If you return all errors at the same time, it is easier for attackers to forge a request. Here is an article I have written and hope it helps.
FrederickRauh
commented
2 years ago "Unless fail-fast is turned on in the configuration, all errors should be returned at the same time and this is the default behaviour."
Hey thanks for the anwser. Unfortunatly this does not seem to be the default behaviour. The validation method itself (doValidate in SchemaValidator) does not regarde the fail-fast variable and only returns the first error from the list of possible errors. The processingReport inside of the method, contains both errors that i force, however as stated it only returns the first error. As per your anwser: i totally understand that behaviour, however i just wanted to point this out, incase anybody else comes across it.
stevehu
commented
2 years ago You are right. There are two components involved here. The json-schema-validator returns all validation errors by default but the openapi-validator is returning only the first error if there are more than one. Hope it clarifies the confusion here. Thanks.
delanym
commented
2 years ago Its not clear how I should configure this to return multiple errors?
FrederickRauh
commented
2 years ago @delanym You would need to modify doValidate in com/mservicetech/openapi/validation/SchemaValidator, to return a list instead of the first found error.
At the current stage the status object only returns a string containing one error. If multiple errors are present maybe a list of these should be returned.