EXXETA/openapi-cop EXXETA/openapi-cop

  • Stars
    star
    370
  • Rank 115,405 (Top 3 %)
  • Language
    TypeScript
  • License
    MIT License
  • Created almost 5 years ago
  • Updated about 1 month ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
EXXETA/openapi-cop
github

EXXETA

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A proxy that validates responses and requests against an OpenAPI document. https://www.npmjs.com/package/openapi-cop https://hub.docker.com/r/lxlu/openapi-cop

openapi-cop

OpenAPI Compliance Proxy that validates requests and responses against an OpenAPI document

License CI status NPM version Docker Image Version (latest semver)

The idea is to place the proxy between a client (e.g. a frontend app) and a web server to catch invalid requests or responses during development. Use this proxy locally or set it up in your development server. In production environments, set the _silent_ flag to forward unmodified response bodies. In any case, validation headers are set that allow to trace down violations to your OpenAPI definition.

Proxy Diagram

Requirements

We run all tests with Node.js versions 10 and 12. Higher versions could possibly work but are not currently supported.

Installation

To install the CLI globally:

npm install -g openapi-cop

To install the package locally (inside an existing NPM package) and run the proxy programatically:

npm install openapi-cop

Usage

There are three ways to run openapi-cop:

  1. Start it with the CLI (1).
  2. Run it programatically inside Node.js (2).
  3. Start a container based on the Docker image (3).

CLI Usage

The openapi-cop node package installs itself as an executable linked as openapi-cop. Run the command with the --help flag to get information about the CLI:

Usage: openapi-cop [options]

Options:
  -s, --file <file>                       path to the OpenAPI definition file
  -h, --host <host>                       the host of the proxy server (default: "localhost")
  -p, --port <port>                       port number on which to run the proxy (default: 8888)
  -t, --target <target>                   full base path of the target API (format: http(s)://host:port/basePath)
  --default-forbid-additional-properties  disallow additional properties when not explicitly specified
  --silent                                do not send responses with validation errors, just set validation headers
  -w, --watch [watchLocation]             watch for changes in a file or directory (falls back to the OpenAPI file)
                                             and restart server accordingly
  -v, --verbose                           show verbose output
  -V, --version                           output the version number
  -h, --help                              output usage information

The proxy validates the requests and responses in the communication with a target server. By default, the proxy will respond with a 500 status code when the validation fails.

Sample validation failure response 
{
  "error": {
    "message": "openapi-cop Proxy validation failed",
    "request": {
      "method": "POST",
      "path": "/pets",
      "headers": {
        "host": "localhost:8888",
        "user-agent": "curl/7.59.0",
        "accept": "*/*",
        "content-type": "application/json",
        "content-length": "16"
      },
      "query": {},
      "body": {
        "data": "sent"
      }
    },
    "response": {
      "statusCode": 201,
      "body": "{}",
      "headers": {
        "x-powered-by": "Express",
        "openapi-cop-openapi-file": "7-petstore.yaml",
        "content-type": "application/json; charset=utf-8",
        "content-length": "2",
        "etag": "W/\"2-vyGp6PvFo4RvsFtPoIWeCReyIC8\"",
        "date": "Thu, 25 Jul 2019 13:39:58 GMT",
        "connection": "close"
      },
      "request": {
        "uri": {
          "protocol": "http:",
          "slashes": true,
          "auth": null,
          "host": "localhost:8889",
          "port": "8889",
          "hostname": "localhost",
          "hash": null,
          "search": null,
          "query": null,
          "pathname": "/pets",
          "path": "/pets",
          "href": "http://localhost:8889/pets"
        },
        "method": "POST",
        "headers": {
          "host": "localhost:8888",
          "user-agent": "curl/7.59.0",
          "accept": "*/*",
          "content-type": "application/json",
          "content-length": "16",
          "accept-encoding": "gzip, deflate"
        }
      }
    },
    "validationResults": {
      "request": {
        "valid": true,
        "errors": null
      },
      "response": {
        "valid": false,
        "errors": [
          {
            "keyword": "required",
            "dataPath": "",
            "schemaPath": "#/required",
            "params": {
              "missingProperty": "code"
            },
            "message": "should have required property 'code'"
          }
        ]
      },
      "responseHeaders": {
        "valid": true,
        "errors": null
      }
    }
  }
}

Two headers are added to the response:

  • openapi-cop-validation-result: contains the validation results as JSON.

    Interface 
    {
    request: {
      valid: boolean;
      errors?: Ajv.ErrorObject[] | null;
    },
    response: {
      valid: boolean;
      errors?: Ajv.ErrorObject[] | null;
    },
    responseHeaders: {
      valid: boolean;
      errors?: Ajv.ErrorObject[] | null;
    }
}

  • openapi-cop-source-request: contains a simplified version of the original request sent by the client as JSON.

    Interface 
    {
  method: string;
  path: string;
  headers: {
    [key: string]: string | string[];
  };
  query?: {
    [key: string]: string | string[];
  } | string;
  body?: any;
}

See the references of OpenAPI Backend and Ajv for more information.

When the --silent is provided, the proxy will forward the server's response body without modification. In this case, the validation headers are still added.

Module Usage

To run the proxy programatically use runProxy, which returns a Promise<http.Server>:

import {runProxy} from 'openapi-cop';

const server = await runProxy({
  port: 8888,
  host: 'proxyhost',
  targetUrl: 'http://targethost:8989',
  apiDocPath: '/path/to/openapi-file.yaml',
  defaultForbidAdditionalProperties: false,
  silent: false
});

Docker Image Usage

We publish a Docker image lxlu/openapi-cop that you can use for your convenience. This means you can also run openapi-cop with something like

docker run --rm -p 8888:8888 --env TARGET=https://some-host-name:1234 --env FILE=some-openapi-document.json lxlu/openapi-cop

Read more information about the usage here.

FAQ

Can I use this in production? This tool was originally meant for development scenarios. You can use this in production but we cannot give you any security guarantees. Also running the JSON schema validation is quite CPU-expensive and you likely do not want to validate in both directions in production because of that overhead.
Do I need this if I already generate my client from the OpenAPI? In case your client and server code is generated from the OpenAPI spec, you might still want to use this proxy. Generated code does usually only provide typing information, but JSON Schema defines much more than that. For example you might define a string property to match a given RegEx and start with the letter "C". This will not be ensured by your generated code at compile time, but will be caught by openapi-cop.
Can I use this with other programming languages? Yes. This is a proxy and not a middleware. You can use it between whatever HTTP-endpoints you have in your architecture.

Contributing

If you want to contribute to openapi-cop, be sure to check the Contributing guidelines and the Contributing wiki page.


Made By
Alexis and Daniel

at

Exxeta

Join us now!



More Repositories

1

sonar-esql-plugin

Sonar plugin to analyze ESQL-sourcecode of IBM Integration Bus projects
Java
35
star
2

springio-2023

Java
17
star
3

swiftui-examples

A collection of our SwiftUI example projects from our Medium articles.Β 
Swift
15
star
4

stm32f4-blackpill-quickstart

An Embedded Rust Template for a STM32F401 Black Pill Board
Rust
11
star
5

sonar-msgflow-plugin

Sonar plugin to analyze messageflows of IBM Integration Bus projects
Java
9
star
6

devops-demo

Brief demo of basic DevOps techniques and technologies
Python
4
star
7

contributors

How to contribute to the github.com/EXXETA presence
4
star
8

gitlab-cli

interactive command-line-interface for the gitlab rest api written in go
Go
3
star
9

swift-image-editing-component

An image editing component in swift that we created for our medium blog post.
Swift
3
star
10

arquilliantutorial

Simple Arquillian Tutorial
Java
2
star
11

activiti-spring

Beispielprojekt fΓΌr den Java Magazin Artikel
Java
2
star
12

kubernetes-monitor-view

Angular component for monitoring kubernetes clusters
TypeScript
2
star
13

scooltivity-app

JavaScript
2
star
14

java-magazin-crac-snapstart

Java
2
star
15

kubernetes-monitor

Monitors kubernetes clusters based on a JSON config file
Java
2
star
16

AWS-Quiz

TypeScript
1
star
17

k8s-python-tools

A toolset around k8s cluster administration tasks.
Python
1
star
18

scooltivity-server

Java
1
star
19

running-routes

This is the demo code for the Java Magazin articles "Geodaten: Laufen im Kreis" (04 + 05 /2010)
Java
1
star
20

correomqtt-plugins

Plugins developed by Exxeta for CorreoMQTT.
Java
1
star
21

secure-keyboards-flutter

Dart
1
star
22

secure-keyboards-android

Kotlin
1
star
23

android-examples

A collection of our Android example projects from our Medium articles.
Kotlin
1
star