Server vs Client generation differences on data validation · swagger-api/swagger-codegen#2304

(11 comments) (0 reactions) (0 assignees)HTML (12,701 stars) (5,474 forks)batch import

Enhancement: Generalhelp wanted

Description

From @zanona on March 3, 2016 16:10

I have noticed that most clients that can be generated through Swagger such as javascript will comply to JSON's Schema properties like enum, maxLength, minimum, required, etc for request body (i.e: /users/POST [User Model])

However from what I have tested, all generated server codes such as Node.js, Go, etc, will simply skip that information and leave the API wide open for accepting any kind of payload or wrong property format through the requests, differently than API in the wild such as Github's, Twitter, etc where those will probably filter the payload and block any unwanted data format or analyse of all required properties for the body object have been sent.

Is the fact that most generated servers are not analysing this information something that has been discussed before? It would be interesting to know the reason for validations being only made from client-side generated code leaving the API vulnerable?

Copied from original issue: swagger-api/swagger-core#1693

Contributor guide

Tech stack: None
Domain: backend
Issue type: feature
Difficulty: 4
Estimated time: over 1 week
Activity status: stale
Clarity: mostly clear
Prerequisites: Understanding of Swagger/OpenAPIFamiliarity with code generation templatesKnowledge of server side validation
Newbie friendliness: 15
Research direction: Investigate how swagger codegen generates server code in different languages. Examine the templates (e.g., in modules/swagger codegen/src/main/resources) to understand how request validation is currently handled. Review existing discussions and PRs at the issue link to see prior attempts. Assess the feasibility of adding JSON Schema validation to generated server endpoints.