libopenapi-validator icon indicating copy to clipboard operation
libopenapi-validator copied to clipboard
verified publisher icon pb33f

Header validation with oneOf or anyOf defined in schema

Open triptesh1212 opened this issue 1 year ago • 2 comments

Hi, I have the following spec.

{
  "openapi": "3.0.0",
  "info": {
    "title": "API Spec With Mandatory Header",
    "version": "1.0.0"
  },
  "paths": {
    "/api-endpoint": {
      "get": {
        "summary": "Restricted API Endpoint",
        "parameters": [
          {
            "name": "apiKey",
            "in": "header",
            "required": true,
            "schema": {
              "oneOf": [
                {
                  "type": "boolean"
                },
                {
                  "type": "integer"
                }
              ]
            }
          }
        ],
        "responses": {
          "200": {
            "description": "Successful response"
          }
        }
      }
    }
  },
  "components": {
    "securitySchemes": {
      "ApiKeyHeader": {
        "type": "apiKey",
        "name": "apiKey",
        "in": "header"
      }
    }
  },
  "security": [
    {
      "ApiKeyHeader": []
    }
  ]
}

However, the library is not checking the header type during validation. Here is the code to reproduce the issue.

package main

import (
	"fmt"
	"github.com/pb33f/libopenapi"
	libopenapiValidator "github.com/pb33f/libopenapi-validator"
	"net/http"
	"os"
)

func main() {

	specBytes, _ := os.ReadFile("temp.json")

	doc, err := libopenapi.NewDocument(specBytes)
	if err != nil {
		fmt.Println("error while creating open api spec document", err)
		return
	}

	req, err := http.NewRequest("GET", "/api-endpoint", nil)
	if err != nil {
		fmt.Println("error while creating new HTTP request", err)
		return
	}

	req.Header.Set("Content-Type", "application/json")
	req.Header.Set("apiKey", "headerValue")

	v3Model, errs := doc.BuildV3Model()
	if len(errs) > 0 {
		fmt.Println("error while building a Open API spec V3 model", errs)
		return
	}

	v3Model.Model.Servers = nil
	// render the document back to bytes and reload the model.
	_, doc, v3Model, errs = doc.RenderAndReload()

	validator, errs := libopenapiValidator.NewValidator(doc)
	if len(errs) > 0 {
		fmt.Println("error while getting validator", errs)
		return
	}

	paramValidator := validator.GetParameterValidator()

	isSuccess, valErrs := paramValidator.ValidateHeaderParams(req)

	fmt.Println("is validation successful-", isSuccess)

	if len(valErrs) > 0 {
		fmt.Println("error during validation ", valErrs)
		return
	}

}

Outcome of this program is is validation successful- true

Our expectation is that the validation should fail as the header value type is string.

Thanks, Triptesh

triptesh1212 avatar May 13 '24 06:05 triptesh1212

Hi @daveshanley , I had checked the code base and found out that for the header parameter validation, only validation against schema type is implemented. Could you please update if there is any plan for the enhancement of the header schema validation ?

triptesh1212 avatar Jun 11 '24 05:06 triptesh1212

I need to look into this.

daveshanley avatar Aug 02 '24 11:08 daveshanley