swagger-object-validator

What?

Validate an Object against a given swagger (V2.0) API definition.

A swagger definition specifies an API with requests and data models, and there are a lot of compilers to create server and client skeletons. There are some tools that validate the requests that were sent to the server, but surprisingly there is a huge lack of (good) validators for response bodies.

Just test it quickly and be amazed:

Why this and not some other tool?

The API is awesome, it gives you easy and full control over what's happening:

• Every error has a detailed stack trace so you can find where and what is wrong easily
• Stack traces are in a format that allows computer programs to understand what's wrong without parsing strings
• You can add your own rules or ignore certain errors
• Other tools do not like splitted specifications (via $ref)
• Most other tools do not implement very special constraints (like regex, int32/int64, minItems...)

Features

Validation

The following swagger specifications are validated:

• All the basic stuff like Numbers, Strings, Enums, Arrays, Objects
• Required properties
• Int32/Int64, Float/Double, Booleans
• Dates and Date-Times
• Maps (additionalProperties)
• Inheritance (allOf)
• Polymorphism (discriminator)
• Custom polymorphism that uses enums
• All kinds of references ($ref)

Flexible API

• Load your swagger spec from a JSON/yaml file, the interwebs or load it yourself and do your stuff first
• Validate your object either by name or by a specification object
• Get useful stack traces of all the validation errors that occured
• Stack traces are readable by both programs and humans
• Need to add custom validation rules or ignore certain errors? No problem!
• TypeScript support

Quick start

Please ensure that the swagger spec itself is valid to prevent unexpected errors, this module does not verify the spec itself.

Let's assume you got a pet from your pet store and want to validate it.

Using TypeScript

import * as SwaggerValidator from 'swagger-object-validator';
let validator = new SwaggerValidator.Handler('https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v2.0/yaml/petstore.yaml');

let pet = {
    id: 123,
    name: 'Doge'
};
validator.validateModel(pet, 'Pet', (err, result) => {
    console.log(result.humanReadable());
});

Using JavaScript

var swaggerValidator = require('swagger-object-validator');
var validator = new swaggerValidator.Handler('https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v2.0/yaml/petstore.yaml');

var pet = {
    id: 123,
    name: 'Doge'
};
validator.validateModel(pet, 'Pet', function (err, result) {
    console.log(result.humanReadable());
});

Both will print out "Valid", since they comply to the swagger specification.

Error Trace

So lets change our pet model to be invalid (the rest of the code remains the same):

var pet = {
    id: 'This is not a number',
    foo: 'bar',
    tag: [
        'This is an optional argument, but it',
        'Should be a String, not an Array of Strings'
    ]
}

Now it will print out:

Missing required property:
	 - At Pet/name

Type mismatch:
	 - At Pet/id
	 - Should be: "number"
	 - Is: "string"

Additional Property:
	 - At Pet/foo

Type mismatch:
	 - At Pet/tag
	 - Should be: "string"
	 - Is: "array"

This is the human readable error trace, because we called result.humanReadable(). It will print out a full path to the error, where each step is seperated with a slash. They come quite handy if you need to find an error in a very complex model, and they support array positions and polymorphism!

The human readable trace is just a rendered version of result.errors, which looks like this:

[
    {
        "errorType": "MISSING_REQUIRED_PROPERTY",
        "trace": [
            {
                "stepName": "Pet"
            },
            {
                "stepName": "name"
            }
        ]
    },
    {
        "errorType": "ADDITIONAL_PROPERTY",
        "trace": [
            {
                "stepName": "Pet"
            },
            {
                "stepName": "foo"
            }
        ]
    },
    {
        "trace": [
            {
                "stepName": "Pet"
            },
            {
                "stepName": "id"
            }
        ],
        "errorType": "TYPE_MISMATCH",
        "typeIs": "string",
        "typeShouldBe": "number"
    },
    {
        "trace": [
            {
                "stepName": "Pet"
            },
            {
                "stepName": "tag"
            }
        ],
        "errorType": "TYPE_MISMATCH",
        "typeIs": "array",
        "typeShouldBe": "string"
    }
]

Ways to load a specification

JSON/yaml/URL

You may load JSON or yaml files from your disk or from the interwebs. It doesn't matter!

import * as SwaggerValidator from 'swagger-object-validator';
let validator = new SwaggerValidator.Handler('https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v2.0/yaml/petstore.yaml');
// or
let validator = new SwaggerValidator.Handler('./petstore.yaml');
// or
let validator = new SwaggerValidator.Handler('./petstore.json');
// or
let petStore = require('./petstore.json');
let validator = new SwaggerValidator.Handler(petStore);

Without an entire swagger spec

Up to now we always loaded the complete Swagger Specification. Maybe you don't need that and already know the exact model spec? Just validate against a model spec directly:

import * as SwaggerValidator from 'swagger-object-validator';
let validator = new SwaggerValidator.Handler();

let spec = {
    type: "array",
    items: {
        type: "string"
    }
}

let model = ['1', '2'];
validator.validateModel(model, spec, (err, result) => {
    console.log(result.humanReadable());
});

Inline models / unnamed models

If you need to validate a model against a definition that is not part of the definitions section, you can fetch the model specification like so:

import * as SwaggerValidator from 'swagger-object-validator';
let validator = new SwaggerValidator.Handler('https://raw.githubusercontent.com/YStrauch/swagger-object-validator/master/test/specs/yaml/swagger.yaml');

// Fetch the unnamed model from i.e. a path
let schema = json.paths['/person'].post.parameters[0].schema

validator.validateModel({'name': 'Homer'}, schema).then(result => {
    console.log(result.humanReadable());
});

Config

You can hand in a configuration object. Before diving in each of them let's look over it quickly:

interface IValidatorConfig {
  // for relative $refs, defaults to './'
  partialsDir?: string;

  // allow additional properties not defined in the Spec, defaults to false
  allowAdditionalProperties?: boolean;

  // allow usage of x-nullable for properties, defaults to false
  allowXNullable?: boolean;

  // will not check for uniqueItems constraint if there are more than this many, defaults to 100
  disableUniqueItemsOver?: number;
  // suppresses the console warning when uniqueItems was disabled due to disableUniqueItemsOver, defaults to false
  suppressUniqueItemsWarning?: boolean;

  // disallow fetching of HTTP and HTTPS resources, both default to false
  disallowHttp?: boolean;
  disallowHttps?: boolean;

  // add custom validation rules (sync and async)
  customValidation?: (
    test: any,
    schema: Swagger.Schema,
    spec: Swagger.Spec,
    trace: Array<ITraceStep>,
    otherErrors: Array<ICustomValidationError>,
    resolve?: (validationErrors: ICustomValidationError[]) => void,
    reject?: (reason: string) => void
  ) => ICustomValidationError[] | void | undefined;

  // you can ignore certain errors
  ignoreError?: ( // cb to ignore errors
    error: IValidationError,
    value: any,
    schema: Swagger.Schema,
    spec: Swagger.Spec
  ) => boolean;
}

Partials directory for $ref

$ref gives you the possibility to split your specification across different files (or even servers). There are multiple types of $refs:

// internal $ref
$ref: '#/definitions/Pet'

// $ref to the interwebs
$ref: 'https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v2.0/yaml/petstore.yaml#/definitions/Pet'

// relative $ref
$ref: './pet.json'

The last kind of $refs, the relative ones, uses process.cwd() to determine the absolute path. If you want those $refs to resolve to another directory, you may specify a base path:

let config = {
  partialsDir: '/some/path/'
}
let validator = new SwaggerValidator.Handler('spec.yml', config);

Disallowing HTTP or HTTPs

As described in the paragraph above Swagger allows references to the interwebs. If you do not want this you can set a corresponding option:

let config = {
  disallowHttp: true,
  disallowHttps: true
};
let validator = new Handler('http://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v2.0/yaml/petstore.yaml', config);

Allowing Additional properties

By default, every property that is not specified within the swagger definition adds an ADDITIONAL_PROPERTY error to the stack. If you want to allow certain properties you can do that with the ignoreError function (see "Ignoring Errors" below), or you can allow all additional properties at once with a config entry:

let config: IValidatorConfig = {
    allowAdditionalProperties: true
};

Allowing x-nullable properties

A common extension for Swagger 2 is x-nullable, based on nullable from the OpenAPI 3 spec. This allows a property to be returned as null instead of the intended type.

By enabling this configuration, the x-nullable property is recognized and respected when validating types.

let config: IValidatorConfig = {
    allowXNullable: true
};

Limiting the Unique Items Constraint

Since version 1.4.0, this library implements the uniqueItems constraint. This constraint can be set on array specs to disallow duplicate items and emit a ConstraintViolation if needed.

Detecting duplicate items needs to compare all items pairwise, and since items can be of arbitrary depth, this could bring drastic performance bottlenecks when you have a big number of items (or very complex items).

To prevent the validator to get stuck on this, by default it will never validate arrays for uniqueness that have more than 100 elements. You can change that cap with the disableUniqueItemsOver in your validator config to accommodate your needs and hardware.

If the cap is exceeded, a console warning will be emitted by default. You can disable this warning by setting suppressUniqueItemsWarning to true in your validator config.

For example, if you want to validate unique lists of up to 300 elements, you can change the cap and disable warnings like so:

let config = {
  disableUniqueItemsOver: 300,
  suppressUniqueItemsWarning: true
}
let validator = new SwaggerValidator.Handler('spec.yml', config);

Just remember that the algorithm will scale exponentially in the number of items.

Ignoring errors

You may want to ignore certain errors. Let's assume you need some magic to allow a certain string to be valid on a field that should normally be a number (because of reasons):

let config: IValidatorConfig = {
    ignoreError: (error, value, schema, spec) => {
      // ignore type mismatches on Pet/id when a certain value occures
      return error.errorType === ValidationErrorType.TYPE_MISMATCH
        && error.trace[0].stepName === 'Pet'
        && error.trace[1].stepName === 'id'
        && schema.type === 'integer'
        && value === 'magicKeyThatWillBeAllowed';
    }
};
let validator = new Handler('https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v2.0/yaml/petstore.yaml', config);
let pet = {
  id: 'magicKeyThatWillBeAllowed',
  name: 'Doge'
};
validator.validateModel(pet, 'Pet', (err, result) => {
  console.log(result.humanReadable()); // valid

Custom validation rules

You may need to implement custom rules, for example you may want to ensure that a pet name always starts with an uppercase letter. (For that specific use case you should probably just use a "pattern" regex swagger rule but for the sake of documentation we forget about this)

let config: IValidatorConfig = {
    customValidation: (test, schema, spec, trace, otherErrors) => {
      // only validate Pet/name
      if (trace.length !== 2
        || trace[trace.length - 2].stepName !== 'Pet'
        || trace[trace.length - 1].stepName !== 'name') {
        // the property is not a pet name, so do not return any validation errors
        return [];
      }

      // no need to ensure that petName is actually a string, because this will be already done for you
      let firstChar = test.substr(0,1);
      if (firstChar !== firstChar.toUpperCase()) {
        return [
          // You may throw a custom error, where content is any type
          {
            errorType: ValidationErrorType.CUSTOM, // or 6 for JS
            trace: trace,
            content: 'Name must start with an uppercase letter'
          }
        ];
      }

      // pet starts with an uppercase, so do not return validation errors
      return [];
    }
  };

You may either return an array of errors, or if you need to do asynchronously magic, you can use the resolve callback (or the reject callback to throw a critical error). Make sure not to mix return and resolve though.

customValidation: (test, schema, spec, trace, otherErrors, resolve, reject) => {
  setTimeout(() => resolve([]), 100);
}

Important:

• Swagger-Object-Validator will run its validation logic before your custom validation is called. If any validation error occur within that logic, your handler is not called. (Would be annoying if we had to check if the name is a string right?)
• With great power comes great runtime exceptions. If you allow for example a string on an object field to pass, the Object validator will crash because it expects its input to be an object. This hook should be used with caution.
• Normally you should not need to implement custom rules, because you will add constraints that are not specified within the specification. Think first if you may be better on with a regex experssion, a min/max or any other swagger constraint.

Polymorphism

Swagger-Object-Validator can work with two types of polymorphism.

Standard polymorphism

Medium is a superclass of Image and Video. The discriminator type can either be "Image" or "Video". This is the way swagger intended polymorphism.

Medium:
  required:
    - type
  properties:
    type:
      type: string
Image:
    required:
      - source
    allOf:
      - $ref: '#/definitions/Medium'
    properties:
      source:
        type: string
Video:
    required:
      - length
    allOf:
      - $ref: '#/definitions/Medium'
    properties:
      length:
        type: integer

let medium = {
  type: 'Image',
  source: 'source' // property only exists within image
};

// the plot in polymorphism is that you validate
// your model against the abstract Medium class,
// not against the concrete Image class
validator.validateModel(medium, 'Medium', (err, result) => {
  //...
});

Enum polymorphism

Instead of using the Name of the object, enum polymorphism uses enums to differentiate:

Section:
  required:
    - sectionType
  discriminator: sectionType
  properties:
    sectionType:
      type: string
      enum:
        - TEXT_SECTION
        - IMAGE_SECTION

TextSection:
  allOf:
    - $ref: '#/definitions/Section'
  properties:
    sectionType:
      type: string
      enum:
        - TEXT_SECTION
    textContent:
      type: string

ImageSection:
  required:
    - imageSource
  allOf:
    - $ref: '#/definitions/Section'
  properties:
    sectionType:
      type: string
      enum:
        - IMAGE_SECTION
    imageSource:
      type: string

let section = {
  sectionType: 'TEXT_SECTION',
  textContent: 'Custom polymorphed text section'
};

Polymorphism within the stack trace

The stack trace will tell you if polymorphism was detected. So if a Medium may be an Image, and Polymorphism was detected, a trace may look like this:

{
    "errors": [
        {
            "errorType": "MISSING_REQUIRED_PROPERTY",
            "trace": [
                {
                    "stepName": "Medium",
                    "concreteModel": "Image" // here
                },
                {
                    "stepName": "source"
                }
            ]
        }
    ]
}

HumanReadable:

Missing required property:
	 - At Medium<Image>/source

Potentially breaking Changes

1.3.0

• Fixed typo, changed ValidationErrorType from 'CONSTRAINTS_VIOATION' to 'CONSTRAINTS_VIOLATION' (added missing L)
• If you call validateModel() without a full-fledged spec (i.e. just the model definition), the first error step did previously not have a name. This was changed to the dedicated name 'root'.

1.4.0

• The ValidationErrorType in result.model was changed from a numeric enum to a more verbose string enum. This will mainly affect JavaScript applications and their logic to handle specific validation errors. TypeScript applications should be unaffected if the enums were used as documented. The values changed from integers between 0 and 6 to 'MISSING_REQUIRED_PROPERTY', 'ADDITIONAL_PROPERTY', 'TYPE_MISMATCH', 'ENUM_MISMATCH', 'DATE_FORMAT', 'CONSTRAINTS_VIOLATION', and 'CUSTOM'. This deprecated errorsWithStringTypes.
• Added support for uniqueItems. Please also read about the default cap of 100 items here.

Development

Technical Setup

Install node.js. Then run: npm install --global yarn; yarn install. Please make sure to use an IDE with TSLint and EditorConfig installed (i.e. Visual Studio Code).

Development

This project is entirely test-driven. You can run tests locally like this:

npm run-script watch:test # Build the application, run tests and watch the FS
npm run-script debug # Very useful to trace bugs. You need a remote debugging software, I use VSCode debugger

Tests need to have minimum code to test the desired effect. Don't include huge swagger specs.

Pull-Requests

Please ensure that your pull request includes tests that demonstrate the feature or bug fix and that your code conforms to the TSLint specifications in this project.