Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
fastify-openapi-glue
Advanced tools
generate a fastify configuration from an openapi specification
A plugin for fastify to autogenerate a configuration based on a OpenApi(v2/v3) specification.
It aims at facilitating "design first" API development i.e. you write or obtain an API specification and use that to generate code. Given an OpenApi specification Fastify-openapi-glue handles the fastify configuration of routes and validation schemas etc. You can also generate your own project from a OpenApi specification.
If you are upgrading from a previous major version of fastify-openapi-glue
then please check out UPGRADING.md.
npm i fastify-openapi-glue --save
Add the plugin to your project with register
and pass it some basic options and you are done !
import openapiGlue from "fastify-openapi-glue";
import { Service } from "./service.js";
import { Security } from "./security.js";
const options = {
specification: `${currentDir}/petstore-openapi.v3.json`,
serviceHandlers: new Service(),
securityHandlers: new Security(),
prefix: "v1",
};
fastify.register(openapiGlue, options);
All schema and routes will be taken from the OpenApi specification listed in the options. No need to specify them in your code.
specification
: this can be a JSON object, or the name of a JSON or YAML file containing a valid OpenApi(v2/v3) fileserviceHandlers
: this can be a javascript object or class instance. See the serviceHandlers documentation for more details.securityHandlers
: this can be a javascript object or class instance. See the securityHandlers documentation for more details.prefix
: this is a string that can be used to prefix the routes, it is passed verbatim to fastify. E.g. if the path to your operation is specified as "/operation" then a prefix of "v1" will make it available at "/v1/operation". This setting overrules any "basePath" setting in a v2 specification. See the servers documentation for more details on using prefix with a v3 specification.operationResolver
: a custom operation resolver function, (operationId, method, openapiPath) => handler | routeOptions
where method is the uppercase HTTP method (e.g. "GET") and openapiPath is the path taken from the specification without prefix (e.g. "/operation"). Mutually exclusive with serviceHandlers
. See the operationResolver documentation for more details.addEmptySchema
: a boolean that allows empty bodies schemas to be passed through. This might be useful for status codes like 204 or 304. Default is false
.specification
and either serviceHandlers
or operationResolver
are mandatory, securityHandlers
and prefix
are optional.
See the examples section for a demo.
Please be aware that this
will refer to your serviceHandlers object or your securityHandler object and not to Fastify as explained in the bindings documentation
The OpenAPI specification supports extending an API spec to describe extra functionality that isn't covered by the official specification. Extensions start with x-
(e.g., x-myapp-logo
) and can contain a primitive, an array, an object, or null
.
The following extensions are provided by the plugin:
x-fastify-config
(object): any properties will be added to the routeOptions.config
property of the Fastify route.
For example, if you wanted to use the fastify-raw-body plugin to compute a checksum of the request body, you could add the following extension to your OpenAPI spec to signal the plugin to specially handle this route:
paths:
/webhooks:
post:
operationId: processWebhook
x-fastify-config:
rawBody: true
responses:
204:
description: Webhook processed successfully
x-no-fastify-config
(true): this will ignore this specific route as if it was not present in your OpenAPI specification:
paths:
/webhooks:
post:
operationId: processWebhook
x-no-fastify-config: true
responses:
204:
description: Webhook processed successfully
You can also set custom OpenAPI extensions (e.g., x-myapp-foo
) for use within your app's implementation. These properties are passed through unmodified to the Fastify route on {req,reply}.routeOptions.config
. Extensions specified on a schema are also accessible (e.g., routeOptions.schema.body
or routeOptions.schema.responses[<statusCode>]
).
To make life even more easy there is the openapi-glue
cli. The openapi-glue
cli takes a valid OpenApi (v2/v3) file (JSON or YAML) and generates a project including a fastify plugin that you can use on any fastify server, a stub of the serviceHandlers class and a skeleton of a test harness to test the plugin.
openapi-glue [options] <OpenApi specification>
or if you don't have openapi-glue
installed:
npx github:seriousme/fastify-openapi-glue <OpenApi specification>
This will generate a project based on the provided OpenApi specification. Any existing files in the project folder will be overwritten! See the generator examples section for a demo.
-p <name> The name of the project to generate
--projectName=<name> [default: generated-javascript-project]
-b <dir> --baseDir=<dir> Directory to generate the project in.
This directory must already exist.
[default: "."]
The following options are only usefull for testing the openapi-glue plugin:
-c --checksumOnly Don't generate the project on disk but
return checksums only.
-l --localPlugin Use a local path to the plugin.
See the generator example section for a demo.
Clone this repository and run npm i
Executing npm start
will start fastify on localhost port 3000 with the
routes extracted from the petstore example and the accompanying serviceHandlers definition
{
"statusCode": 400,
"error": "Bad Request",
"message": "params.petId should be integer"
}
{
"statusCode": 500,
"error": "Internal Server Error",
"message": "Operation findPetsByStatus not implemented"
}
{
"statusCode": 500,
"error": "Internal Server Error",
"message":"\"name\" is required!"
}
as the pet returned by service.js does not match the response schema.
The folder examples/generated-javascript-project contains the result of running openapi-glue -l --baseDir=examples examples/petstore/petstore-swagger.v2.yaml
. The generated code can be started using npm start
in examples/generated-javascript-project
(you will need to run npm i
in the generated folder first)
server/url
as there could be multiple values here, use the prefix
option if you need to prefix your routes. See the servers documentation for more details.application/json
and text/plain
out of the box. The default charset is utf-8
. If you need to support different content types, you can use the fastify addContentTypeParser
API."1"
will also pass validation, this can be reconfigured, see Validation and Serialization.oneOf
.coerceTypes: 'array'
as an option to Fastify.....due to error strict mode: unknown keyword: "..."
then please check out the page on AJV strict mode
npm test
before you submit a PR.
Fastify-openapi-glue is the successor to the now deprecated fastify-swaggergen project. Main difference is that it:
Licensed under MIT
[4.8.0] 04-12-2024
FAQs
generate a fastify configuration from an openapi specification
The npm package fastify-openapi-glue receives a total of 42,628 weekly downloads. As such, fastify-openapi-glue popularity was classified as popular.
We found that fastify-openapi-glue demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.