AWS API 网关 (REST) - 即使存在未知 属性,请求验证也会通过
AWS API Gateway (REST) - Request Validation passes even when there is unknown property
我有一个具有以下架构的 API 网关:
{
"swagger": "2.0",
"info": {
"description": "This is a sample server Petstore server. You can find out more about Swagger at [http://swagger.io](http://swagger.io) or on [irc.freenode.net, #swagger](http://swagger.io/irc/). For this sample, you can use the api key `special-key` to test the authorization filters.",
"version": "1.0.0",
"title": "Swagger Petstore",
"termsOfService": "http://swagger.io/terms/",
"contact": {
"email": "apiteam@swagger.io"
},
"license": {
"name": "Apache 2.0",
"url": "http://www.apache.org/licenses/LICENSE-2.0.html"
}
},
"paths": {
"/pet": {
"post": {
"summary": "Add a new pet to the store",
"description": "",
"operationId": "addPet",
"consumes": [
"application/json",
"application/xml"
],
"produces": [
"application/xml",
"application/json"
],
"parameters": [
{
"in": "body",
"name": "body",
"description": "Pet object that needs to be added to the store",
"required": true,
"schema": {
"$ref": "#/definitions/Pet"
}
}
],
"responses": {
"405": {
"description": "Invalid input"
}
}}
}},
"definitions": {
"Pet": {
"required": ["id", "name"],
"type": "object",
"properties": {
"id": {
"type": "integer",
"description": "Id of the pet",
"example": 123
},
"name": {
"type": "string",
"description": "Name of the pet",
"example": "Jammy"
},
"nickname": {
"type": "string",
"description": "Nickname of the pet",
"example": "Jam"
}
}
}
}
}
当我发送请求 body 时,其字段不在架构中,我没有从 API 网关收到 400 响应。我已将配置应用于验证 body、headers、查询字符串。
这是 API 网关中的未解决问题吗?还是我遗漏了什么?
因此,对于 swagger v2 和 openapiv3 规范,默认行为是接受您的规范未定义的所有其他属性。如果您包含所需的宠物 ID 和名称以及其他未使用的属性(如 foo 和 bar),您 post 应该会成功。
如果您希望更严格的验证在发送附加属性时失败,请在您的 pet 架构中将 additionalProperties 设置为 false 或执行此操作并将规范版本更改为 3.x.x
我有一个具有以下架构的 API 网关:
{
"swagger": "2.0",
"info": {
"description": "This is a sample server Petstore server. You can find out more about Swagger at [http://swagger.io](http://swagger.io) or on [irc.freenode.net, #swagger](http://swagger.io/irc/). For this sample, you can use the api key `special-key` to test the authorization filters.",
"version": "1.0.0",
"title": "Swagger Petstore",
"termsOfService": "http://swagger.io/terms/",
"contact": {
"email": "apiteam@swagger.io"
},
"license": {
"name": "Apache 2.0",
"url": "http://www.apache.org/licenses/LICENSE-2.0.html"
}
},
"paths": {
"/pet": {
"post": {
"summary": "Add a new pet to the store",
"description": "",
"operationId": "addPet",
"consumes": [
"application/json",
"application/xml"
],
"produces": [
"application/xml",
"application/json"
],
"parameters": [
{
"in": "body",
"name": "body",
"description": "Pet object that needs to be added to the store",
"required": true,
"schema": {
"$ref": "#/definitions/Pet"
}
}
],
"responses": {
"405": {
"description": "Invalid input"
}
}}
}},
"definitions": {
"Pet": {
"required": ["id", "name"],
"type": "object",
"properties": {
"id": {
"type": "integer",
"description": "Id of the pet",
"example": 123
},
"name": {
"type": "string",
"description": "Name of the pet",
"example": "Jammy"
},
"nickname": {
"type": "string",
"description": "Nickname of the pet",
"example": "Jam"
}
}
}
}
}
当我发送请求 body 时,其字段不在架构中,我没有从 API 网关收到 400 响应。我已将配置应用于验证 body、headers、查询字符串。
这是 API 网关中的未解决问题吗?还是我遗漏了什么?
因此,对于 swagger v2 和 openapiv3 规范,默认行为是接受您的规范未定义的所有其他属性。如果您包含所需的宠物 ID 和名称以及其他未使用的属性(如 foo 和 bar),您 post 应该会成功。
如果您希望更严格的验证在发送附加属性时失败,请在您的 pet 架构中将 additionalProperties 设置为 false 或执行此操作并将规范版本更改为 3.x.x