search

openapistack / openapi-backend

Build, Validate, Route, Authenticate and Mock using OpenAPI
https://openapistack.co
MIT License
608 stars 83 forks source link

Content-Type is not validated #229

Open julrich1 opened 2 years ago

julrich1 commented 2 years ago

It looks like openapi-backend isn't validating the Content-Type defined in the OpenAPI specification, and worse it will happily pass along payloads that aren't valid. For a quick example, if I have an endpoint defined as such:

     requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                messages:
                  type: array
                  minItems: 1
                  maxItems: 100
                  items:
                    $ref: '#/components/schemas/MessageID'

The validation works great when I pass a Content-Type: application/json header, but if I set the header value to text/plain, the endpoint is called with no validation and the payload is empty. Is there perhaps an easy way to verify the content is as expected?

tomasvalentaopenbean commented 2 years ago

AFAIK, from when I was going through the code to troubleshoot some issues, the schema is validated only for content-type: application/json. The other content-types are ignored (not validated).

julrich1 commented 2 years ago

AFAIK, from when I was going through the code to troubleshoot some issues, the schema is validated only for content-type: application/json. The other content-types are ignored (not validated).

I think that probably makes sense, but openapi-backend should project reject other types, otherwise the payloads are being passed without any validation.

tomasvalentaopenbean commented 2 years ago

Right. I am not saying this is not a bug. It should support other content-types. Similar/same issue has already been raised: #94