Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
fastify-swagger
Advanced tools
Serve Swagger/OpenAPI documentation for Fastify, supporting dynamic generation
Serve Swagger / OpenAPI for Fastify. It can either use the schemas you declare in your routes to dynamically generate an OpenAPI/Swagger-compliant doc, or serve a static OpenAPI specification document.
Supports Fastify versions >=2.0.0
. Please refer to this branch and related versions for Fastify ^1.9.0
compatibility.
npm i fastify-swagger --save
Add it to your project with register
and pass it some basic options, then call the swagger
api and you are done!
const fastify = require('fastify')()
fastify.register(require('fastify-swagger'), {
routePrefix: '/documentation',
swagger: {
info: {
title: 'Test swagger',
description: 'testing the fastify swagger api',
version: '0.1.0'
},
externalDocs: {
url: 'https://swagger.io',
description: 'Find more info here'
},
host: 'localhost',
schemes: ['http'],
consumes: ['application/json'],
produces: ['application/json'],
tags: [
{ name: 'user', description: 'User related end-points' },
{ name: 'code', description: 'Code related end-points' }
],
definitions: {
User: {
type: 'object',
required: ['id', 'email'],
properties: {
id: { type: 'string', format: 'uuid' },
firstName: { type: 'string' },
lastName: { type: 'string' },
email: {type: 'string', format: 'email' }
}
}
},
securityDefinitions: {
apiKey: {
type: 'apiKey',
name: 'apiKey',
in: 'header'
}
}
},
uiConfig: {
docExpansion: 'full',
deepLinking: false
},
staticCSP: true,
transformStaticCSP: (header) => header
exposeRoute: true
})
fastify.put('/some-route/:id', {
schema: {
description: 'post some data',
tags: ['user', 'code'],
summary: 'qwerty',
params: {
type: 'object',
properties: {
id: {
type: 'string',
description: 'user id'
}
}
},
body: {
type: 'object',
properties: {
hello: { type: 'string' },
obj: {
type: 'object',
properties: {
some: { type: 'string' }
}
}
}
},
response: {
201: {
description: 'Successful response',
type: 'object',
properties: {
hello: { type: 'string' }
}
}
},
security: [
{
"apiKey": []
}
]
}
}, (req, reply) => {})
fastify.ready(err => {
if (err) throw err
fastify.swagger()
})
fastify-swagger
supports two registration modes dynamic
and static
:
dynamic
mode is the default one, if you use the plugin this way - swagger specification would be gathered from your routes definitions.
{
// swagger 2.0 options
swagger: {
info: {
title: String,
description: String,
version: String
},
externalDocs: Object,
host: String,
schemes: [ String ],
consumes: [ String ],
produces: [ String ],
tags: [ Object ],
securityDefinitions: Object
},
// openapi 3.0.3 options
// openapi: {
// info: {
// title: String,
// description: String,
// version: String,
// },
// externalDocs: Object,
// servers: [ Object ],
// components: Object,
// security: [ Object ],
// tags: [ Object ]
// }
}
All the above parameters are optional. You can use all the properties of the swagger specification and openapi specification, if you find anything missing, please open an issue or a pr!
fastify-swagger will generate Swagger v2 by default. If you pass the openapi
option it will generate OpenAPI instead.
Example of the fastify-swagger
usage in the dynamic
mode, swagger
option is available here and openapi
option is available here.
option | default | description |
---|---|---|
exposeRoute | false | Exposes documentation route. |
hiddenTag | X-HIDDEN | Tag to control hiding of routes. |
stripBasePath | true | Strips base path from routes in docs. |
swagger | {} | Swagger configuration. |
openapi | {} | OpenAPI configuration. |
transform | null | Transform method for schema. |
uiConfig* | {} | Configuration options for Swagger UI |
initOAuth | {} | Configuration options for Swagger UI initOAuth |
staticCSP | false | Enable CSP header for static resources. |
transformStaticCSP | undefined | Synchronous function to transform CSP header for static resources if the header has been previously set. |
uiConfig
accepts only literal (number/string/object) configuration values since they are serialized in order to pass them to the generated UI. For more details see: #5710.
If you do not supply a description
for your response, a default description will be provided for you, because this is a required field per the Swagger schema.
So this:
fastify.get('/defaultDescription', {
schema: {
response: {
200: {
type: 'string'
}
}
}
}, () => {})
Generates this in the Swagger (OAS2) schema's paths
:
{
"/defaultDescription": {
"get": {
"responses": {
"200": {
"description": "Default Response",
"schema": {
"type": "string"
}
}
}
}
}
}
And this in the OAS 3 schema's paths
:
{
"/defaultDescription": {
"get": {
"responses": {
"200": {
"description": "Default Response",
"schema": {
"type": "string"
}
}
}
}
}
}
If you do supply just a description
, it will be used both for the response as a whole and for the response body schema.
So this:
fastify.get('/description', {
schema: {
response: {
200: {
description: 'response and schema description',
type: 'string'
}
}
}
}, () => {})
Generates this in the Swagger (OAS2) schema's paths
:
{
"/description": {
"get": {
"responses": {
"200": {
"description": "response and schema description",
"schema": {
"description": "response and schema description",
"type": "string"
}
}
}
}
}
}
And this in the OAS 3 schema's paths
:
{
"/description": {
"get": {
"responses": {
"200": {
"description": "response and schema description",
"content": {
"application/json": {
"schema": {
"description": "response and schema description",
"type": "string"
}
}
}
}
}
}
}
}
If you want to provide a different description for the response as a whole, instead use the x-response-description
field alongside description
:
fastify.get('/responseDescription', {
schema: {
response: {
200: {
'x-response-description': 'response description',
description: 'schema description',
type: 'string'
}
}
}
}, () => {})
Which generates this in the Swagger (OAS2) schema's paths
:
{
"/responseDescription": {
"get": {
"responses": {
"200": {
"description": "response description",
"schema": {
"description": "schema description",
"type": "string"
}
}
}
}
}
}
And this in the OAS 3 schema's paths
:
{
"/responseDescription": {
"get": {
"responses": {
"200": {
"description": "response description",
"content": {
"application/json": {
"schema": {
"description": "schema description",
"type": "string"
}
}
}
}
}
}
}
}
fastify
itself support the 2xx
, 3xx
status, however swagger
itself do not support this feature. We will help you to transform the 2xx
status code into 200
and we will omit 2xx
status code when you already declared 200
status code.
Note: openapi
will not be affected as it support the 2xx
syntax.
Example:
{
response: {
'2xx': {
description: '2xx'
type: 'object'
}
}
}
// it will becomes below
{
response: {
200: {
schema: {
description: '2xx'
type: 'object'
}
}
}
}
You can decorate your own response headers by follow the below example.
{
response: {
200: {
type: 'object',
headers: {
'X-Foo': {
type: 'string'
}
}
}
}
}
Note: You need to specify type
property when you decorate the response headers, otherwise the schema will be modified by fastify
.
We support status code 204 and return empty body. Please specify type: 'null'
for the response otherwise fastify
itself will fail to compile the schema.
{
response: {
204: {
type: 'null',
description: 'No Content'
}
}
}
static
mode should be configured explicitly. In this mode fastify-swagger
serves given specification, you should craft it yourself.
{
mode: 'static',
specification: {
path: './examples/example-static-specification.yaml',
postProcessor: function(swaggerObject) {
return swaggerObject
},
baseDir: '/path/to/external/spec/files/location',
},
}
Example of the fastify-swagger
usage in the static
mode is available here.
specification.postProcessor
parameter is optional. It allows you to change your swagger object on the fly (for example - based on the environment). It accepts swaggerObject
- a JavaScript object which was parsed from your yaml
or json
file and should return a swagger object.
specification.baseDir
allows specifying the directory where all spec files that are included in the main one using $ref
will be located.
By default, this is the directory where the main spec file is located. Provided value should be an absolute path without trailing slash.
If you pass { exposeRoute: true }
during the registration the plugin will expose the documentation with the following apis:
url | description |
---|---|
'/documentation/json' | the JSON object representing the API |
'/documentation/yaml' | the YAML object representing the API |
'/documentation/' | the swagger UI |
'/documentation/*' | external files which you may use in $ref |
If you would like to overwrite the /documentation
url you can use the routePrefix
option.
fastify.register(require('fastify-swagger'), {
swagger: {
info: {
title: 'Test swagger',
description: 'testing the fastify swagger api',
version: '0.1.0'
},
...
},
hiddenTag: 'X-HIDDEN',
exposeRoute: true,
routePrefix: '/documentations'
}
If you would like to use different schemas like, let's say Joi, you can pass a synchronous transform
method in the options to convert them back to standard JSON schemas expected by this plugin to generate the documentation (dynamic
mode only).
const convert = require('joi-to-json')
fastify.register(require('fastify-swagger'), {
swagger: { ... },
...
transform: schema => {
const {
params = undefined,
body = undefined,
querystring = undefined,
...others
} = schema
const transformed = { ...others }
if (params) transformed.params = convert(params)
if (body) transformed.body = convert(body)
if (querystring) transformed.querystring = convert(querystring)
return transformed
}
}
Calling fastify.swagger
will return to you a JSON object representing your api, if you pass { yaml: true }
to fastify.swagger
, it will return you a yaml string.
Note: OA's terminology differs from Fastify's. OA uses the term "parameter" to refer to those parts of a request that in Fastify's validation documentation are called "querystring", "params", "headers".
OA provides some options beyond those provided by the JSON schema specification for specifying the shape of parameters. A prime example of this the option for specifying how to encode those parameters that should be handled as arrays of values. There is no single universally accepted method for encoding such parameters appearing as part of query strings. OA2 provides a collectionFormat
option that allows specifying how an array parameter should be encoded. (We're giving an example in the OA2 specification, as this is the default specification version used by this plugin. The same principles apply to OA3.) Specifying this option is easy. You just need to add it to the other options for the field you are defining. Like in this example:
fastify.route({
method: 'GET',
url: '/',
schema: {
querystring: {
type: 'object',
required: ['fields'],
additionalProperties: false,
properties: {
fields: {
type: 'array',
items: {
type: 'string'
},
minItems: 1,
//
// Note that this is an Open API version 2 configuration option. The
// options changed in version 3.
//
// Put `collectionFormat` on the same property which you are defining
// as an array of values. (i.e. `collectionFormat` should be a sibling
// of the `type: "array"` specification.)
collectionFormat: 'multi'
}
}
}
},
handler (request, reply) {
reply.send(request.query.fields)
}
})
There is a complete runnable example here.
IMPORTANT CAVEAT These encoding options you can set in your schema have no bearing on how, for instance, a query string parser parses the query string. They change how Swagger UI presents its documentation, and how it generates curl
commands when you click the Try it out
button. Depending on which options you set in your schema, you may also need to change the default query string parser used by Fastify so that it produces a JavaScript object that will conform to the schema. As far as arrays are concerned, the default query string parser conforms to the collectionFormat: "multi"
specification. If you were to select collectionFormat: "csv"
, you would have to replace the default query string parser with one that parses CSV parameter values into arrays. The same caveat applies to the other parts of a request that OA calls "parameters" (e.g. headers, path parameters) and which are not encoded as JSON in a request.
Note: not supported for OA2 and lower version of specification. Read more in OA3 documentation.
http://localhost/?filter={"foo":"baz","bar":"qux"}
IMPORTANT CAVEAT You also need to change the default query string parser used by Fastify so that it produces a JavaScript object that will conform to the schema. See example.
fastify.route({
method: 'GET',
url: '/',
schema: {
querystring: {
type: 'object',
required: ['filter'],
additionalProperties: false,
properties: {
filter: {
type: 'object',
required: ['foo'],
properties: {
foo: { type: 'string' },
bar: { type: 'string' }
},
'x-consume': 'application/json'
}
}
}
},
handler (request, reply) {
reply.send(request.query.filter)
}
})
And this in the OAS 3 schema's paths
:
{
"/": {
"get": {
"parameters": [
{
"in": "query",
"name": "filter",
"required": true,
"content": {
"application/json": {
"schema": {
"type": "object",
"required": [
"foo"
],
"properties": {
"foo": {
"type": "string"
},
"bar": {
"type": "string"
}
}
}
}
}
}
]
}
}
}
Sometimes you may need to hide a certain route from the documentation, there is 2 alternatives:
{ hide: true }
to the schema object inside the route declaration.hiddenTag
options property inside the route declaration. Default is X-HIDDEN
.You can integration this plugin with fastify-helmet
with some little work.
fastify-helmet
options example:
.register(helmet, instance => {
return {
contentSecurityPolicy: {
directives: {
...helmet.contentSecurityPolicy.getDefaultDirectives(),
"form-action": ["'self'"],
"img-src": ["'self'", "data:", "validator.swagger.io"],
"script-src": ["'self'"].concat(instance.swaggerCSP.script),
"style-src": ["'self'", "https:"].concat(
instance.swaggerCSP.style
),
}
}
}
})
Global security definitions and route level security provide documentation only. It does not implement authentication nor route security for you. Once your authentication is implemented, along with your defined security, users will be able to successfully authenticate and interact with your API using the user interfaces of the documentation.
In order to start development run:
npm i
npm run prepare
So that swagger-ui static folder will be generated for you.
fastify-static
serve the swagger-ui
static files, then it calls /docs/json
to get the swagger file and render it.
Sometimes you already have a Swagger definition and you need to build Fastify routes from that. In that case checkout fastify-swaggergen which helps you in doing just that.
This project is kindly sponsored by:
Licensed under MIT.
FAQs
`fastify-swagger@5.2.0` has been deprecated. Please use `@fastify/swagger@6.0.0` instead.
We found that fastify-swagger demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 17 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.