swagger-api/swagger-codegen

Server vs Client generation differences on data validation

Open

#2.304 aberto em 3 de mar. de 2016

Ver no GitHub
 (11 comments) (0 reactions) (0 assignees)HTML (5.474 forks)batch import
Enhancement: Generalhelp wanted

Métricas do repositório

Stars
 (12.701 stars)
Métricas de merge de PR
 (Nenhuma PRs mesclada em 30d)

Description

From @zanona on March 3, 2016 16:10

I have noticed that most clients that can be generated through Swagger such as javascript will comply to JSON's Schema properties like enum, maxLength, minimum, required, etc for request body (i.e: /users/POST [User Model])

However from what I have tested, all generated server codes such as Node.js, Go, etc, will simply skip that information and leave the API wide open for accepting any kind of payload or wrong property format through the requests, differently than API in the wild such as Github's, Twitter, etc where those will probably filter the payload and block any unwanted data format or analyse of all required properties for the body object have been sent.

Is the fact that most generated servers are not analysing this information something that has been discussed before? It would be interesting to know the reason for validations being only made from client-side generated code leaving the API vulnerable?

Copied from original issue: swagger-api/swagger-core#1693

Guia do colaborador