Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@asteasolutions/zod-to-openapi
Advanced tools
@asteasolutions/zod-to-openapi is an npm package that allows you to convert Zod schemas to OpenAPI (Swagger) definitions. This is particularly useful for generating API documentation from your Zod validation schemas, ensuring that your API documentation stays in sync with your validation logic.
Convert Zod Schema to OpenAPI Schema
This feature allows you to convert a Zod schema into an OpenAPI schema. The code sample demonstrates how to define a Zod schema for a user object and then convert it into an OpenAPI schema.
const { z } = require('zod');
const { openApi } = require('@asteasolutions/zod-to-openapi');
const userSchema = z.object({
id: z.string(),
name: z.string(),
email: z.string().email()
});
const openApiSchema = openApi({
title: 'User',
version: '1.0.0',
schema: userSchema
});
console.log(JSON.stringify(openApiSchema, null, 2));
Generate OpenAPI Documentation
This feature allows you to generate a complete OpenAPI document from Zod schemas. The code sample demonstrates how to define a Zod schema for a user object, convert it into an OpenAPI schema, and then generate an OpenAPI document that includes an endpoint for retrieving users.
const { z } = require('zod');
const { openApi, generateOpenApiDocument } = require('@asteasolutions/zod-to-openapi');
const userSchema = z.object({
id: z.string(),
name: z.string(),
email: z.string().email()
});
const openApiSchema = openApi({
title: 'User',
version: '1.0.0',
schema: userSchema
});
const openApiDocument = generateOpenApiDocument({
openapi: '3.0.0',
info: {
title: 'My API',
version: '1.0.0'
},
paths: {
'/users': {
get: {
summary: 'Get Users',
responses: {
'200': {
description: 'A list of users',
content: {
'application/json': {
schema: openApiSchema
}
}
}
}
}
}
}
});
console.log(JSON.stringify(openApiDocument, null, 2));
zod-to-json-schema is a package that converts Zod schemas to JSON Schema. While it does not directly generate OpenAPI documentation, JSON Schema is a core part of OpenAPI, so you can use the generated JSON Schema as part of your OpenAPI definitions. Compared to @asteasolutions/zod-to-openapi, it requires additional steps to integrate with OpenAPI.
swagger-jsdoc is a package that generates OpenAPI (Swagger) documentation from JSDoc comments in your code. Unlike @asteasolutions/zod-to-openapi, which generates OpenAPI schemas from Zod validation schemas, swagger-jsdoc relies on JSDoc comments to generate the documentation. This can be more flexible but requires you to maintain JSDoc comments separately from your validation logic.
openapi-typescript is a package that generates TypeScript types from OpenAPI schemas. While it operates in the opposite direction compared to @asteasolutions/zod-to-openapi (which generates OpenAPI schemas from Zod schemas), it can be used in conjunction with @asteasolutions/zod-to-openapi to ensure type safety across your API documentation and TypeScript codebase.
A library that uses zod schemas to generate an Open API Swagger documentation.
We keep a changelog as part of the GitHub releases.
We at Astea Solutions made this library because we use zod for validation in our APIs and are tired of the duplication to also support a separate OpenAPI definition that must be kept in sync. Using zod-to-openapi
, we generate OpenAPI definitions directly from our zod schemas, this having single source of truth.
Simply put, it turns this:
const UserSchema = registry.register(
'User',
z.object({
id: z.string().openapi({ example: '1212121' }),
name: z.string().openapi({ example: 'John Doe' }),
age: z.number().openapi({ example: 42 }),
})
);
registry.registerPath({
method: 'get',
path: '/users/{id}',
summary: 'Get a single user',
request: {
params: z.object({ id: z.string() }),
},
responses: {
200: {
mediaType: 'application/json',
schema: UserSchema.openapi({
description: 'Object with user data',
}),
},
},
});
into this:
components:
schemas:
User:
type: object
properties:
id:
type: string
example: '1212121'
name:
type: string
example: John Doe
age:
type: number
example: 42
required:
- id
- name
- age
/users/{id}:
get:
summary: Get a single user
parameters:
- in: path
name: id
schema:
type: string
required: true
responses:
'200':
description: Object with user data
content:
application/json:
schema:
$ref: '#/components/schemas/User'
and you can still use UserSchema
and the request.params
object to validate the input of your API.
npm install @asteasolutions/zod-to-openapi
# or
yarn add @asteasolutions/zod-to-openapi
openapi
methodTo keep openapi definitions natural, we add an openapi
method to all Zod objects. For this to work, you need to call extendZodWithOpenApi
once in your project.
Note: This should be done only once in a common-entrypoint file of your project (for example an index.ts
/app.ts
). If you're using tree-shaking with Webpack, mark that file as having side-effects.
import { extendZodWithOpenApi } from '@asteasolutions/zod-to-openapi';
import { z } from 'zod';
extendZodWithOpenApi(z);
// We can now use `.openapi()` to specify OpenAPI metadata
z.string().openapi({ description: 'Some string' });
The OpenAPIRegistry
is used to track definitions which are later generated using the OpenAPIGenerator
class.
import {
OpenAPIRegistry,
OpenAPIGenerator,
} from '@asteasolutions/zod-to-openapi';
const registry = new OpenAPIRegistry();
// Register definitions here
const generator = new OpenAPIGenerator(registry.definitions);
return generator.generateComponents();
generateComponents
will generate only the /components
section of an OpenAPI document (e.g. only schemas
and parameters
), not generating actual routes.
An OpenAPI schema should be registered using the register
method of an OpenAPIRegistry
instance.
const UserSchema = registry.register(
'User',
z.object({
id: z.string().openapi({ example: '1212121' }),
name: z.string().openapi({ example: 'John Doe' }),
age: z.number().openapi({ example: 42 }),
})
);
If run now, generateComponents
will generate the following structure:
components:
schemas:
User:
type: object
properties:
id:
type: string
example: '1212121'
name:
type: string
example: John Doe
age:
type: number
example: 42
required:
- id
- name
- age
The key for the schema in the output is the first argument passed to .register
(in this case - User
).
Note that generateComponents
does not return YAML but a JS object - you can then serialize that object into YAML or JSON depending on your use-case.
The resulting schema can then be referenced by using $ref: #/components/schemas/User
in an existing OpenAPI JSON. This will be done automatically for Routes defined through the registry.
An OpenAPI path is registered using the registerPath
method of an OpenAPIRegistry
instance.
registry.registerPath({
method: 'get',
path: '/users/{id}',
description: 'Get user data by its id',
summary: 'Get a single user',
request: {
params: z.object({
id: z.string().openapi({ example: '1212121' }),
}),
},
responses: {
200: {
mediaType: 'application/json',
schema: UserSchema.openapi({
description: 'Object with user data.',
}),
},
204: z.void(),
},
});
The YAML equivalent of the schema above would be:
'/users/{id}':
get:
description: Get user data by its id
summary: Get a single user
parameters:
- in: path
name: id
schema:
type: string
example: '1212121'
required: true
responses:
'200':
description: Object with user data.
content:
application/json:
schema:
$ref: '#/components/schemas/User'
'204':
description: No content - successful operation
The library specific properties for registerPath
are method
, path
, request
and responses
. Everything else gets directly appended to the path definition.
method
- One of get
, post
, put
, delete
and patch
;path
- a string - being the path of the endpoint;request
- an optional object with optional body
, params
, query
and headers
keys,
query
, params
- being instances of ZodObject
body
- being any zod
instanceheaders
- an array of zod
instancesresponses
- an object where the key is the status code or default
and the value is either:
ZodVoid
- meaning a no content responsemediaType
(a string like application/json
) and a schema
of any zod typeIf you don't want to inline all parameter definitions, you can define them separately with registerParameter
and then reference them:
const UserIdParam = registry.registerParameter(
'UserId',
z.string().openapi({
param: {
name: 'id',
in: 'path',
},
example: '1212121',
})
);
registry.registerPath({
...
request: {
params: z.object({
id: UserIdParam
}),
},
responses: ...
});
The YAML equivalent would be:
components:
parameters:
UserId:
in: path
name: id
schema:
type: string
example: '1212121'
required: true
'/users/{id}':
get:
...
parameters:
- $ref: '#/components/parameters/UserId'
responses: ...
Note: In order to define properties that apply to the parameter itself, use the param
property of .openapi
. Any properties provided outside of param
would be applied to the schema for this parameter.
A full OpenAPI document can be generated using the generateDocument
method of an OpenAPIGenerator
instance. It takes one argument - the document config. It may look something like this:
return generator.generateDocument({
openapi: '3.0.0',
info: {
version: '1.0.0',
title: 'My API',
description: 'This is the API',
},
servers: [{ url: 'v1' }],
});
A full example code can be found here. And the YAML representation of its result - here
In a file inside your project you can have a file like so:
export const registry = new OpenAPIRegistry();
export function generateOpenAPI() {
const config = {...}; // your config comes here
return new OpenAPIGenerator(schemas.definitions).generateDocument(config);
}
You then use the exported registry
object to register all schemas, parameters and routes where appropriate.
Then you can create a script that executes the exported generateOpenAPI
function. This script can be executed as a part of your build step so that it can write the result to some file like openapi-docs.json
.
The list of all supported types as of now is:
ZodString
ZodNumber
ZodBoolean
ZodDefault
ZodEffects
- only for .refine()
ZodLiteral
ZodEnum
ZodNativeEnum
ZodObject
ZodArray
ZodUnion
ZodIntersection
ZodRecord
ZodUnknown
In case you try to create an OpenAPI schema from a zod schema that is not one of the aforementioned types then you'd receive an UnknownZodTypeError
.
You can still register such schemas on your own by providing a type
via the .openapi
method. In case you think that the desired behavior can be achieved automatically do not hesitate to reach out to us by describing your case via Github Issues.
Note: The ZodEffects
schema from the .transform
method is an example for a zod schema that cannot be automatically generated since the result of the transformation resides only as a type definition and is not an actual zod specific object.
FAQs
Builds OpenAPI schemas from Zod schemas
The npm package @asteasolutions/zod-to-openapi receives a total of 258,883 weekly downloads. As such, @asteasolutions/zod-to-openapi popularity was classified as popular.
We found that @asteasolutions/zod-to-openapi demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.