A proxy that validates responses and requests against an OpenAPI document. https://www.npmjs.com/package/openapi-cop https://hub.docker.com/r/lxlu/openapi-cop
OpenAPI Compliance Proxy that validates requests and responses against an OpenAPI document
The idea is to place the proxy between a client (e.g. a frontend app) and a web server to catch invalid requests or responses during development. Use this proxy locally or set it up in your development server. In production environments, set the _silent_ flag to forward unmodified response bodies. In any case, validation headers are set that allow to trace down violations to your OpenAPI definition.
Requirements
We run all tests with Node.js versions 10 and 12. Higher versions could possibly work but are not currently
supported.
Installation
To install the CLI globally:
npm install -g openapi-cop
To install the package locally (inside an existing NPM package) and run the proxy programatically:
The openapi-cop node package installs itself as an executable linked as openapi-cop. Run the command with
the --help flag to get information about the CLI:
Usage: openapi-cop [options]
Options:
-s, --file <file> path to the OpenAPI definition file
-h, --host <host> the host of the proxy server (default: "localhost")
-p, --port <port> port number on which to run the proxy (default: 8888)
-t, --target <target> full base path of the target API (format: http(s)://host:port/basePath)
--default-forbid-additional-properties disallow additional properties when not explicitly specified
--silent do not send responses with validation errors, just set validation headers
-w, --watch [watchLocation] watch for changes in a file or directory (falls back to the OpenAPI file)
and restart server accordingly
-v, --verbose show verbose output
-V, --version output the version number
-h, --help output usage information
The proxy validates the requests and responses in the communication with a target server. By default, the proxy will
respond with a 500 status code when the validation fails.
When the --silent is provided, the proxy will forward the server's response body without modification. In this case,
the validation headers are still added.
Module Usage
To run the proxy programatically use runProxy, which returns a Promise<http.Server>:
Can I use this in production?
This tool was originally meant for development scenarios. You can use this in production but we cannot give you any security guarantees. Also running the JSON schema validation is quite CPU-expensive and you likely do not want to validate in both directions in production because of that overhead.
Do I need this if I already generate my client from the OpenAPI?
In case your client and server code is generated from the OpenAPI spec, you might still want to use this proxy. Generated code does usually only provide typing information, but JSON Schema defines much more than that. For example you might define a string property to match a given RegEx and start with the letter "C". This will not be ensured by your generated code at compile time, but will be caught by openapi-cop.
Can I use this with other programming languages?
Yes. This is a proxy and not a middleware. You can use it between whatever HTTP-endpoints you have in your architecture.
...
Validating against 7-petstore.yaml ("Test API 7 - Petstore", version: 1.0.0)
Running test...
Sending request GET /pets
Sending request GET /pets/1
Shutting down servers...
โ should respond with validation headers that are ValidationResult: 7-petstore.yaml
Starting proxy server...
Reading output
...
d_for,"___cxa_allocate_exception":___cxa_allocate_exception,"_emscripten_memcpy_big":_emscripten_memcpy_big,"___cxa_end_catch":___cxa_end_catch,"___resumeException":___resumeException,"__ZSt18uncaught_exceptionv":__ZSt18uncaught_exceptionv,"___cxa_begin_catch":___cxa_begin_catch,"_pthread_getspecific":_pthread_getspecific,"__arraySum":__arraySum,"_pthread_once":_pthread_once,"___syscall54":___syscall54,"___unlock":___unlock,"__isLeapYear":__isLeapYear,"_pthread_setspecific":_pthread_setspecific,"___cxa_throw":___cxa_throw,"___cxa_rethrow":___cxa_rethrow,"___syscall6":___syscall6,"_pthread_cleanup_push":_pthread_cleanup_push,"___cxa_pure_virtual":___cxa_pure_virtual,"___syscall140":___syscall140,"___cxa_find_matching_catch":___cxa_find_matching_catch,"___syscall145":___syscall145,"___syscall146":___syscall146,"STACKTOP":STACKTOP,"STACK_MAX":STACK_MAX,"DYNAMICTOP_PTR":DYNAMICTOP_PTR,"tempDoublePtr":tempDoublePtr,"ABORT":ABORT,"cttz_i8":cttz_i8};// EMSCRIPTEN_START_ASM
AssertionError: should show failure to communicate with the target server: expected false to be true
at ChildProcess.<anonymous> (***/openapi-cop/test/02.integration.test.ts:239:18)
at ChildProcess.emit (events.js:400:28)
at Process.ChildProcess._handle.onexit (internal/child_process.js:282:12) {
showDiff: true,
actual: false,
expected: true,
operator: 'strictEqual'
}
npm ERR! code ELIFECYCLE
npm ERR! errno 7
npm ERR! [email protected] test: `mocha --bail --timeout 60000 --exit build/test/*.test.js`
npm ERR! Exit status 7
please describe in the readme how to set up the dev environment and run the tests.
We are currently rejecting target URI's with protocol https with error message: HTTPS is not supported. Not possible to modify requests/responses when the channel is encrypted. Consider to use openapi-cop behind a SSL proxy.
However it would be useful to support the following scenario: client --http--> proxy --https--> target server
The publish-npm-package.yml workflow fails during npm publish. The package name in package.json must have the same scope as the repository, i.e. "@exxeta/openapi-cop". For this to work also for npmjs.com, we would need to publish under the "exxeta" scope there as well.
I love the idea of a validation proxy and tried it with an OpenAPI 3 spec used by our team.
I am getting the following error and hope you have an idea how to tackle this.
$ npx openapi-cop -s path-to-openapi.yaml -h 8888 -t https://localhost:8083
Validating against openapi.yaml ("API Specification", version: 0.1.0)
RangeError: Maximum call stack size exceeded
at /Volumes/some/repo/node_modules/swagger-client/dist/index.js:1:21167
at tryCatch (/Volumes/some/repo/node_modules/babel-runtime/node_modules/regenerator-runtime/runtime.js:62:40)
And then further down..
Failed to run openapi-cop Reference resolution error: Error: Could not resolve references in OpenAPI document due to the following errors:
[
{},
{}
]
โจ Done in 5.05s.
#10 17.04 npm WARN old lockfile Error: ENOENT: no such file or directory, open '/openapi-cop-docker/mock-server/package.json'
#10 17.04 npm WARN old lockfile Could not fetch metadata for openapi-cop-mock-server@file:../mock-server [Error: ENOENT: no such file or directory, open '/openapi-cop-docker/mock-server/package.json'] {
#10 17.04 npm WARN old lockfile errno: -2,
#10 17.04 npm WARN old lockfile code: 'ENOENT',
#10 17.04 npm WARN old lockfile syscall: 'open',
#10 17.04 npm WARN old lockfile path: '/openapi-cop-docker/mock-server/package.json'
#10 17.04 npm WARN old lockfile }
There is also a warning pointing to a wrong runtime node version:
Finally, there is also a minor warning about deprecated usage: #10 0.638 npm WARN config only Use --omit=dev to omit dev dependencies from the install..
I am trying to use the docker image provided but I am not able to pass in requests to the containerized application. I think this is because the application is listening on localhost or 127.0.0.1. I am exposing the default port 8888 using docker run -p 8888:8888 and the response is curl: (52) Empty reply from server
To Reproduce
Run the docker image using docker run -p 8888:8888 lxlu/openapi-cop. Try any cURL request to http://127.0.0.1:8888
Tasks
Change default host address to 0.0.0.0 or add the ability to modify application host name using the environment variables
Am I doing something wrong here, or is the Docker image broken?
~ $ docker run -it 'lxlu/openapi-cop:v1.3.2'
internal/modules/cjs/loader.js:638
throw err;
^
Error: Cannot find module '../../package.json'
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:636:15)
at Function.Module._load (internal/modules/cjs/loader.js:562:25)
at Module.require (internal/modules/cjs/loader.js:692:17)
at require (internal/modules/cjs/helpers.js:25:18)
at Object.<anonymous> (/openapi-cop-docker/src/cli.js:13:20)
at Module._compile (internal/modules/cjs/loader.js:778:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
at Module.load (internal/modules/cjs/loader.js:653:32)
at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
at Function.Module._load (internal/modules/cjs/loader.js:585:3)
~ [1]$
The HTTP spec does not require a content-type header for empty responses and some people may argue that such responses even should not contain such header. As a matter of fact even non-empty responses only "SHOULD" contain a content-type header while still not being mandatory.
Note how everything here is .js and the line numbers not matching the .ts source code.
pfcapi-openapi-cop-1 | Validating against api.yaml ("PFC API", version: 1.0.0)
pfcapi-openapi-cop-1 | Additional properties will be forbidden by default. Existing `additionalProperties` settings in the OpenAPI document will NOT be overwritten.
pfcapi-openapi-cop-1 | Failed to run openapi-cop TypeError: Cannot read property 'constructor' of null
pfcapi-openapi-cop-1 | at mapWalkObject (/openapi-cop-docker/src/util.js:209:19)
pfcapi-openapi-cop-1 | at mapWalkObject (/openapi-cop-docker/src/util.js:210:28)
pfcapi-openapi-cop-1 | at mapWalkObject (/openapi-cop-docker/src/util.js:210:28)
pfcapi-openapi-cop-1 | at mapWalkObject (/openapi-cop-docker/src/util.js:210:28)
pfcapi-openapi-cop-1 | at mapWalkObject (/openapi-cop-docker/src/util.js:210:28)
pfcapi-openapi-cop-1 | at Object.mapWalkObject (/openapi-cop-docker/src/util.js:210:28)
pfcapi-openapi-cop-1 | at prepareApiDocument (/openapi-cop-docker/src/app.js:184:21)
pfcapi-openapi-cop-1 | at process._tickCallback (internal/process/next_tick.js:68:7)
pfcapi-openapi-cop-1 | at Function.Module.runMain (internal/modules/cjs/loader.js:834:11)
pfcapi-openapi-cop-1 | at startup (internal/bootstrap/node.js:283:19)
pfcapi-openapi-cop-1 | at bootstrapNodeJSCore (internal/bootstrap/node.js:623:3)
pfcapi-openapi-cop-1 exited with code 0
Since February 2021, the openapi schema version 3.1.0 exists and, for the first time, is a true superset of JSON Schema. This opens the door for simpler tooling that already exists in the context of JSON Schema.
Currently
We run our tests against openapi documents with versions 3.0.x and 2.0.x.
We don't know if our current dependencies (mainly openapi-backend) support 3.1.0 out of the box.
This change will...
Create tests and test data targeting openapi 3.1.0.
Evaluate compatibility of dependencies with openapi 3.1.0.
Propose a minimal change that grants openapi-cop support for openapi 3.1.0.
I've noticed that the source code doe does not properly register the response validator if an operation's content type is defined with the charset identifier, such as
content:
application/json; charset=UTF-8:
The issue seems to be line 438 of node_modules/openapi-backend/validation.js, where it simply checks to see if the content is application/json, this missing an application/json with a charset identifier.
< HTTP/1.1 302 FOUND
< Server: Werkzeug/2.2.2 Python/3.10.7
< Date: Mon, 26 Sep 2022 22:33:59 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 669
< Location: $REDURECT_URL
< Vary: Cookie
< Set-Cookie: session=$COOKIE HttpOnly; Path=/
< Connection: close
<
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="$REDURECT_URL">$REDURECT_URL</a>. If not, click the link.
However, when proxied through openapi-cop, I get this error Error: Exceeded maxRedirects. Probably stuck in a redirect loop $REDIRECT_URL. With the server outputting this:
(node:8) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 pipe listeners added. Use emitter.setMaxListeners() to increase limit
2022-09-26T22:34:53.451Z openapi-cop:proxy Validation results [GET /api/user/signin]
{
"request": {
"valid": true,
"errors": null
}
}
2022-09-26T22:34:53.456Z openapi-cop:proxy Could not send request: Error: Exceeded maxRedirects. Probably stuck in a redirect loop $REDIRECT_URL
This makes the proxy unusable for endpoints that redirect.
I am trying to use this to validate a hosted backend whose target URL happens to include dots and dashes, the target URL validation regex used only validates word characters /w and it should allow any URI valid character.
To Reproduce
Try any URL with dots, dashes in it, i.e. http://demo-server:8000/v1/
Tasks
Modify target URL validation regex to allow more characters, something like \w+:\/\/[A-Za-z0-9\-._~:\/?#[\]@!$&'()*+,;=]+:(\d{4})(\/|$)
Hello, love the project idea, but while looking to bring this into an existing codebase, I hit a snag where it was giving a 500 internal server error when using Content-Type application/health+json. I would like to follow the rfc health check endpoint spec https://inadarei.github.io/rfc-healthcheck/.
The yaml spec for the endpoint is:
/api/health:
get:
summary: Healthcheck to determine health of API.
responses:
200:
description: The request's query parameters.
content:
application/health+json:
schema:
type: object
properties:
status:
type: string
example: "ok"
description:
type: string
example: Description of endpoint.
version:
type: string
example: "0.0.1"
releaseId:
type: string
example: "release-id"
notes:
type: array
items:
type: string
example: [""]
output:
type: string
example: "Output of error"
2022-09-26T21:49:33.007Z openapi-cop:proxy Received server response with status code 200
2022-09-26T21:49:33.008Z openapi-cop:proxy Validation results [GET /api/health]
{
"request": {
"valid": true,
"errors": null
}
}
If I change the Content-Type to application/json in the response, I get a 200 response, with a openapi-cop-validation-result containing response and responseHeaders objects.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent