express-openapi-validator
express-openapi-validator copied to clipboard
cdimascio
readonly is ignored when properties are inherited through allOf
Describe the bug
The request validator mistakenly makes a requestBody property required, even if it is marked as readonly. This is achievable by using inheritance with allOf.
To Reproduce Given the spec:
openapi: 3.0.1
info:
version: 1.0.0
title: test
paths:
/cars:
post:
requestBody:
content:
"application/json":
schema:
$ref: "#/components/schemas/Car"
responses:
200:
description: OK
components:
schemas:
Car:
type: object
required:
- id
- name
allOf:
- $ref: "#/components/schemas/CarPartial"
CarPartial:
type: object
properties:
id:
type: string
readOnly: true
name:
type: string
With validateRequests: true in the middleware configuration, and by posting a request to the path with this request body:
{
"name": "Opel Corsa"
}
Will result in a validation error with the following message: request/body must have required property 'id'
Actual behavior
A validation error will be thrown, indicating the id field marked as readonly is required in the request body.
Expected behavior The request should be considered valid and no errors should be thrown.
Examples and context Refer to the snippet above.
