Presence of cookie not being validated

[scott-taylor]

My apologies if this isn't the correct place for this question. I've only been using your library only for a week now, so it's very possible I'm missing something. When I created an open api spec I notice that your library seems to validate the in parameters. It worked great when I tested it with query params, body params, and header params. But now I'm trying to specify a cookie param in the open api spec, and there doesn't seem to be any validation. My service handler is always called even when the cookie is not present. Here's my openapi spec:

{
  "openapi": "3.1.0",
  "info": {
    "title": "My API",
    "version": "1.0.0"
  },
  "paths": {
    "/jwt": {
      "get": {
        "operationId": "jwtGet",
        "parameters": [
          {
            "in": "cookie",
            "name": "jwt",
            "schema": {
              "type": "string"
            },
            "required": true
          }
        ],
        "responses": {
          "200": {
            "description": "successful operation"
          }
        }
      }
    }
  }
}

Am I doing something wrong? Is cookie validation not support by the library? The petstore example didn't seem to have any "in": "cookie" example.

[seriousme]

Hi Scott,

thanks for asking.

I just looked it up: The OpenApi specification as of 3.0.0 specifies: "query", "header", "path" or "cookie" as valid locations. https://spec.openapis.org/oas/v3.1.0#fixed-fields-9

Fastify-openapi-glue just generates a configuration for Fastify and leaves all the validation to Fastify.

Unfortunately Fastify itself only has out-of-the-box support for validation for: "body","query","params" (path) and "headers" https://fastify.dev/docs/latest/Reference/Validation-and-Serialization/#validation So no support for cookie :-(

Hence it seems not possible to generate a configuration that will validate cookies. If you do find a config that works using standard Fastify (ie. no third party plugins) then I'm happy to try to make Fastify-openapi-glue support that.

Hope this helps.

Kind regards, Hans Ps. Fastify-openapi-glue should give you a proper warning if it encounters a value that it can't handle so you don't need to search for a needle in a hay stack. I will add a warning in the next version.

[scott-taylor]

I understand. There is a https://github.com/fastify/fastify-cookie which I don't think is third party, but it is a plugin, and not part of the base package.

[seriousme]

Yup, in an ideal world the @fastify/cookie would add a "cookie" to the validation phase as well such that we could provide somthing like:

fastify.route({
    method: "GET",
    url: "/pet/:petId",
    schema: {
        params: {
            type: "object",
            properties: {
                petId: {
                    description: "ID of pet to return",
                    type: "integer",
                    format: "int64",
                },
            },
            required: ["petId"],
        },
        cookie: {
            type: "object",
            properties: {
                buyer: {
                    description: "Buyer of the pet",
                    type: "string",
                },
            },
        },
    },
    handler: {},
});

One could ask the Fastify crew ;-)

The alternative is creating your own prehandler, just for the cookie.

Kind regards, Hans

[seriousme]

Just released 4.4.2 that contains the cookie warning on NPM Thanks for raising the issue.

Kind regards, Hans

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days'