Handling undefined request parameters #110
Comments
|
eHealth encountered a problem where a typo in a client did go unnoticed because it wasn't validated, so seems useful to them. Default Axway APIGW behavior is to strip unknown query params which is also quite dangerous (but this behavior can be changed to pass through any unknown query param). Other use case: support for complex search queries on a lot of parameters, e.g. "?age=...", "?age_lt=...", "?age_gt=..." For JSON payloads, strictly speaking additional properties are by default allowed, but this behavior can probably be configured in most validators (I'll verify this). Using a different schema for request (disallowing additional props) and response (allowing additional props) has too much impact however. WG decided that:
We could consider standardizing upon an OpenAPI extension keyword to declare support of undefined parameters (e.g. x-additional-query-params: like OpenAPI's additionalProperties/patternProperties), but this doesn't seem worthwhile for now. I'll create a PR with a rule. We should still discuss if another type of input validation issue than "schemaViolation" should be returned within the bad request problem response. |
|
I couldn't find any option to configure commonly used openapi validators to fail on unknown JSON properties during request processing. One feature request was refused, saying that the schema should be changed instead to The Jackson library can be tuned to fail or ignore unknown JSON properties:
|
|
Proposal for issue type: |
|
For consistency with #113, where issue types like maybe Or should we add the Request to the other issue types? |
|
I agree to drop "request", it's redundant with "input-validation" |
|
TODO: check if those using GCloud's APIGW can work together for implementation (only in combination with in: query or in: body ; in : path => ResourceNotFound , in: header => unknown is allowed for http headers) |
|
Maybe an explicit mention should be made in the guidelines that this rule does not apply for API's that consume JSON events / notifications / webhooks via an HTTP POST? A new property added by the publisher of the events should not cause an error at the consumer side. Just like unknown properties should be ignored by the client when consuming data retrieved from a server. |
|
Unknown parameters should indeed be accepted in any webhook/callback request. We'd also have to clearly define semantics around callbacks (client, service, API, ...) to avoid confusion because the API (application programming interface) is defined by the sender of the events in such a case. |
|
Can this be closed? https://www.belgif.be/specification/rest/api-guide/#rule-req-valid |
Formulate guidelines how an API should handle request parameters (in JSON body, query param or other) that aren't defined in OpenAPI.
For response elements, the guideline is for clients to ignore unknown properties to be able to evolve an API:
Service consumers should be aware that JSON objects can always be extended with additional JSON properties. This shouldn’t break the client code. The unknown properties must be ignored.For request parameters, this makes less sense however:
A (very specific) counter-example is an Angular paging table view component which may send additional query params to an API that can be safely ignored.
OpenAPI (JSON Schema) allows additional JSON properties by default, but for query parameters the situation is less clear.
Some interesting reads on this topic:
The text was updated successfully, but these errors were encountered: