Merge pull request #135 from cdimascio/allow-unknown-q-params

Rejecting unknown query parameters should be optional #133

Author: cdimascio

README.md

@@ -352,6 +352,20 @@ Determines whether the validator should validate requests.
 
 - `true` (**default**) -  validate requests.
 - `false` - do not validate requests.
+- `{ ... }` - validate requests with options
+
+	**allowUnknownQueryParameters:**
+	
+	- `true` - enables unknown/undeclared query parameters to pass validation
+	- `false` - (**default**) fail validation if an unknown query parameter is present
+	
+	For example:
+	
+	```javascript
+	validateRequests: {
+	  allowUnknownQueryParameters: true
+	}
+	```
 
 ### ▪️ validateResponses (optional)
 
@@ -361,7 +375,7 @@ Determines whether the validator should validate responses. Also accepts respons
 - `false` (**default**) -  do not validate responses
 - `{ ... }` - validate responses with options
 
-	**removeAdditional**
+	**removeAdditional:**
 
 	- `"failing"` - additional properties that fail schema validation are automatically removed from the response.
 

package-lock.json

@@ -36,6 +36,7 @@
     "ts-log": "^2.1.4"
   },
   "devDependencies": {
+    "@types/ajv": "^1.0.0",
     "@types/cookie-parser": "^1.4.1",
     "@types/express": "^4.17.0",
     "@types/mocha": "^5.2.7",

package.json

@@ -1,6 +1,7 @@
 import { Request, Response, NextFunction } from 'express';
 import { Logger } from 'ts-log';
 import BasePath from './base.path';
+import ajv = require('ajv');
 export {
   OpenAPIFrameworkArgs,
   OpenAPIFrameworkConstructorArgs,
@@ -19,17 +20,25 @@ export type SecurityHandlers = {
   ) => boolean | Promise<boolean>;
 };
 
+export interface RequestValidatorOptions
+  extends ajv.Options,
+    ValidateRequestOpts {}
+
+export type ValidateRequestOpts = {
+  allowUnknownQueryParameters?: boolean;
+};
+
 export type ValidateResponseOpts = {
   removeAdditional?: string | boolean;
 };
 
 export interface OpenApiValidatorOpts {
   apiSpec: OpenAPIV3.Document | string;
   validateResponses?: boolean | ValidateResponseOpts;
-  validateRequests?: boolean;
+  validateRequests?: boolean | ValidateRequestOpts;
   securityHandlers?: SecurityHandlers;
   coerceTypes?: boolean;
-  unknownFormats?: string[] | string | boolean;
+  unknownFormats?: true | string[] | 'ignore';
   multerOpts?: {};
 }
 

src/framework/types.ts

@@ -5,6 +5,7 @@ import { Application, Response, NextFunction } from 'express';
 import { OpenApiContext } from './framework/openapi.context';
 import {
   OpenApiValidatorOpts,
+  ValidateRequestOpts,
   ValidateResponseOpts,
   OpenApiRequest,
   OpenApiRequestHandler,
@@ -29,6 +30,12 @@ export class OpenApiValidator {
       };
     }
 
+    if (options.validateRequests === true) {
+      options.validateRequests = {
+        allowUnknownQueryParameters: false,
+      };
+    }
+
     this.options = options;
     this.context = new OpenApiContext({
       apiDoc: options.apiSpec,
@@ -101,7 +108,10 @@ export class OpenApiValidator {
   }
 
   private installRequestValidationMiddleware(): void {
-    const { coerceTypes, unknownFormats } = this.options;
+    const { coerceTypes, unknownFormats, validateRequests } = this.options;
+    const { allowUnknownQueryParameters } = <ValidateRequestOpts>(
+      validateRequests
+    );
     const requestValidator = new middlewares.RequestValidator(
       this.context.apiDoc,
       {
@@ -110,6 +120,7 @@ export class OpenApiValidator {
         removeAdditional: false,
         useDefaults: true,
         unknownFormats,
+        allowUnknownQueryParameters,
       },
     );
     const requestValidationHandler: OpenApiRequestHandler = (req, res, next) =>

src/index.ts

@@ -2,12 +2,13 @@ import * as Ajv from 'ajv';
 import * as draftSchema from 'ajv/lib/refs/json-schema-draft-04.json';
 import { formats } from './formats';
 import { OpenAPIV3 } from '../../framework/types';
+import ajv = require('ajv');
 
 const TYPE_JSON = 'application/json';
 
 export function createRequestAjv(
   openApiSpec: OpenAPIV3.Document,
-  options: any = {},
+  options: ajv.Options = {},
 ): Ajv.Ajv {
   return createAjv(openApiSpec, options);
 }

src/middlewares/ajv/index.ts

@@ -1,3 +1,4 @@
+import * as ajv from 'ajv';
 import { createRequestAjv } from './ajv';
 import {
   ContentType,
@@ -7,7 +8,12 @@ import {
 } from './util';
 import ono from 'ono';
 import { NextFunction, Response } from 'express';
-import { OpenAPIV3, OpenApiRequest } from '../framework/types';
+import {
+  OpenAPIV3,
+  OpenApiRequest,
+  RequestValidatorOptions,
+  ValidateRequestOpts,
+} from '../framework/types';
 import { Ajv } from 'ajv';
 
 const TYPE_JSON = 'application/json';
@@ -16,10 +22,16 @@ export class RequestValidator {
   private _middlewareCache;
   private _apiDocs: OpenAPIV3.Document;
   private ajv: Ajv;
+  private _requestOpts: ValidateRequestOpts = {};
 
-  constructor(apiDocs: OpenAPIV3.Document, options = {}) {
+  constructor(
+    apiDocs: OpenAPIV3.Document,
+    options: RequestValidatorOptions = {},
+  ) {
     this._middlewareCache = {};
     this._apiDocs = apiDocs;
+    this._requestOpts.allowUnknownQueryParameters =
+      options.allowUnknownQueryParameters;
     this.ajv = createRequestAjv(apiDocs, options);
   }
 
@@ -106,11 +118,13 @@ export class RequestValidator {
 
     const validator = this.ajv.compile(schema);
     return (req, res, next) => {
-      this.rejectUnknownQueryParams(
-        req.query,
-        schema.properties.query,
-        securityQueryParameter,
-      );
+      if (!this._requestOpts.allowUnknownQueryParameters) {
+        this.rejectUnknownQueryParams(
+          req.query,
+          schema.properties.query,
+          securityQueryParameter,
+        );
+      }
 
       const shouldUpdatePathParams =
         Object.keys(req.openapi.pathParams).length > 0;

src/middlewares/openapi.request.validator.ts

@@ -6,9 +6,10 @@ import * as logger from 'morgan';
 
 import { OpenApiValidator } from '../../src';
 import { startServer, routes } from './app.common';
+import { OpenApiValidatorOpts } from '../../src/framework/types';
 
 export async function createApp(
-  opts?: any,
+  opts?: OpenApiValidatorOpts,
   port: number = 3000,
   customRoutes: (app) => void = () => {},
   useRoutes: boolean = true,

test/common/app.ts

@@ -0,0 +1,54 @@
+import * as path from 'path';
+import * as express from 'express';
+import * as request from 'supertest';
+import { createApp } from './common/app';
+
+const packageJson = require('../package.json');
+
+describe(packageJson.name, () => {
+  let app = null;
+  let basePath = null;
+
+  before(async () => {
+    // Set up the express app
+    const apiSpec = path.join('test', 'resources', 'query.params.yaml');
+    app = await createApp(
+      { apiSpec, validateRequests: { allowUnknownQueryParameters: true } },
+      3005,
+      app =>
+        app.use(
+          `${app.basePath}`,
+          express
+            .Router()
+            .post(`/pets/nullable`, (req, res) => res.json(req.body)),
+        ),
+    );
+  });
+
+  after(() => {
+    app.server.close();
+  });
+
+  it('should pass if known query params are specified', async () =>
+    request(app)
+      .get(`${app.basePath}/pets`)
+      .query({
+        tags: 'one,two,three',
+        limit: 10,
+        breed: 'german_shepherd',
+        owner_name: 'carmine',
+      })
+      .expect(200));
+
+  it('should not fail if unknown query param is specified', async () =>
+    request(app)
+      .get(`${app.basePath}/pets`)
+      .query({
+        tags: 'one,two,three',
+        limit: 10,
+        breed: 'german_shepherd',
+        owner_name: 'carmine',
+        unknown_prop: 'test',
+      })
+      .expect(200));
+});