Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
openapi-validator-middleware
Advanced tools
Fast input validation middleware using OpenAPI 2.0 (formerly Swagger) and 3.0 definitions file and ajv
This package provides data validation within an Express, Koa or Fastify app according to a Swagger/OpenAPI definition. It uses Ajv under the hood for validation.
NOTICE: As this package gone through a long way, as we added support for OpenAPI definitions, while also adding support for more frameworks such as Koa and Fastify, we finally took the step of changing express-ajv-swagger-validation name to something that describes it better. As of now we'll be using the name openapi-validator-middleware instead.
There are no code changes in openapi-validator-middleware@2.0.0
compared to express-ajv-swagger-validation@1.2.0
apart from the name change.
Table of Contents
Install using the node package registry:
npm install --save openapi-validator-middleware
Then import the module in your code:
const swaggerValidation = require('openapi-validator-middleware');
This middleware function validates the request body, headers, path parameters and query parameters according to the paths definition of the swagger file. Make sure to use this middleware inside a route definition in order to have req.route.path
assigned to the most accurate express route.
fastifyOptions
: Only applicable for fastify
framework. See below.skiplist
: Endpoint paths for which validation should not be applied. An array of strings in RegExp format, e. g. ['^/pets$']
Initialize the middleware using a swagger definition. The function executes synchronously and does not return anything.
pathToSwaggerFile
: Path to the swagger definition.options
: Additional options for the middleware (see below).Initialize the middleware using a swagger definition. The function executes asynchronously and the resolved promise does not return anything.
This Initilaztion function also supports schema with references to external files.
pathToSwaggerFile
: Path to the swagger definition.options
: Additional options for the middleware (see below).Options currently supported:
framework
- Defines in which framework the middleware is working ('fastify', 'koa' or 'express'). As default, set to 'express'.
formats
- Array of formats that can be added to ajv
configuration, each element in the array should include name
and pattern
.
formats: [
{ name: 'double', pattern: /\d+\.(\d+)+/ },
{ name: 'int64', pattern: /^\d{1,19}$/ },
{ name: 'int32', pattern: /^\d{1,10}$/ }
]
keywords
- Array of keywords that can be added to ajv
configuration, each element in the array can be either an object or a function.
If the element is an object, it must include name
and definition
. If the element is a function, it should accept ajv
as its first argument and inside the function you need to call ajv.addKeyword
to add your custom keyword
beautifyErrors
- Boolean that indicates if to beautify the errors, in this case it will create a string from the Ajv error.
query/limit should be <= 100
- query parampath/petId should NOT be shorter than 3 characters
- path param not in formatbody/[0].test.field1 should be string
- Item in an array bodybody/test should have required property 'field1'
- nested fieldbody should have required property 'name'
- Missing field in bodyYou can see more examples in the tests.
firstError
- Boolean that indicates if to return only the first error.
makeOptionalAttributesNullable
- Boolean that forces preprocessing of Swagger schema to include 'null' as possible type for all non-required properties. Main use-case for this is to ensure correct handling of null values when Ajv type coercion is enabled
ajvConfigBody
- Object that will be passed as config to new Ajv instance which will be used for validating request body. Can be useful to e. g. enable type coercion (to automatically convert strings to numbers etc). See Ajv documentation for supported values.
ajvConfigParams
- Object that will be passed as config to new Ajv instance which will be used for validating request body. See Ajv documentation for supported values.
contentTypeValidation
- Boolean that indicates if to perform content type validation in case consume
field is specified and the request body is not empty.
expectFormFieldsInBody
- Boolean that indicates whether form fields of non-file type that are specified in the schema should be validated against request body (e. g. Multer is copying text form fields to body)
errorFormatter
- optional custom function that will be invoked to create a validation error that will be thrown if Ajv validation fails. Function should accept two parameters: (errors, middlewareOptions)
and return an error that will be thrown.
swaggerValidation.init('test/unit-tests/input-validation/pet-store-swagger.yaml');
const app = express();
app.use(bodyParser.json());
app.get('/pets', swaggerValidation.validate, (req, res, next) => {
return res.json({ result: 'OK' });
});
app.post('/pets', swaggerValidation.validate, (req, res, next) => {
return res.json({ result: 'OK' });
});
app.get('/pets/:petId', swaggerValidation.validate, (req, res, next) => {
return res.json({ result: 'OK' });
});
app.use((err, req, res, next) => {
if (err instanceof swaggerValidation.InputValidationError) {
return res.status(400).json({ more_info: JSON.stringify(err.errors) });
}
});
const server = app.listen(serverPort, () => {});
'use strict';
const Koa = require('koa');
const Router = require('koa-router');
const bodyParser = require('koa-bodyparser');
const inputValidation = require('openapi-validator-middleware');
const app = new Koa();
const router = new Router();
app.use(bodyParser());
app.use(router.routes());
inputValidation.init('test/pet-store-swagger.yaml', { framework: 'koa' });
router.get('/pets', inputValidation.validate, async (ctx, next) => {
ctx.status = 200;
ctx.body = { result: 'OK' };
});
router.post('/pets', inputValidation.validate, async (ctx, next) => {
ctx.status = 200;
ctx.body = { result: 'OK' };
});
router.get('/pets/:petId', inputValidation.validate, async (ctx, next) => {
ctx.status = 200;
ctx.body = { result: 'OK' };
});
router.put('/pets', inputValidation.validate, async (ctx, next) => {
ctx.status = 200;
ctx.body = { result: 'OK' };
});
app.use(async (ctx, next) => {
try {
return await next();
} catch (err) {
if (err instanceof inputValidation.InputValidationError) {
ctx.status = 400;
ctx.body = err.errors;
}
throw err;
}
})
app.listen(process.env.PORT || 8888, function () {
console.log('listening on', this.address());
});
'use strict';
const fastify = require('fastify');
const inputValidation = require('openapi-validator-middleware');
async function getApp() {
inputValidation.init('test/pet-store-swagger.yaml', {
framework: 'fastify'
});
const app = fastify({ logger: true });
app.register(inputValidation.validate({
skiplist: ['^/_metrics$']
}));
app.setErrorHandler(async (err, req, reply) => {
if (err instanceof inputValidation.InputValidationError) {
return reply.status(400).send({ more_info: JSON.stringify(err.errors) });
}
reply.status(500);
reply.send();
});
app.get('/pets', (req, reply) => {
reply.status(204).send();
});
await app.ready();
return app;
}
const inputValidation = require('openapi-validator-middleware');
const validatorA = inputValidation.getNewMiddleware('test/pet-store-swaggerA.yaml', {framework: 'express'});
const validatorB = inputValidation.getNewMiddleware('test/pet-store-swaggerB.yaml', {framework: 'express'});
app.get('/pets', validatorA.validate, (req, res, next) => {
return res.json({ result: 'OK' });
});
app.post('/pets', validatorB.validate, (req, res, next) => {
return res.json({ result: 'OK' });
});
It is important to set the type
property of any Schema Objects explicitly to object
. Although it isn't required in the OpenAPI specification, it is necessary in order for Ajv to work correctly.
Multipart/form-data (files) support is based on express/multer
.
Fastify support requires uri-js
dependency to be installed. Make sure to run npm install uri-js
.
When using this package as a middleware for fastify, the validations errors will be thrown.
When using this package as middleware for koa, the validations errors will be thrown.
This package supports Koa servers that use koa-router
, koa-bodyparser
and koa-multer
.
The tests use mocha, istanbul and mochawesome. Run them using the node test script:
npm test
FAQs
Fast input validation middleware using OpenAPI 2.0 (formerly Swagger) and 3.0 definitions file and ajv
The npm package openapi-validator-middleware receives a total of 12,566 weekly downloads. As such, openapi-validator-middleware popularity was classified as popular.
We found that openapi-validator-middleware demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.