You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OpenAPI Compliance Proxy that validates requests and responses against an OpenAPI document
The idea is to place the proxy between a client (e.g. a frontend app) and a web server to catch invalid requests or responses during development. Use this proxy locally or set it up in your development server. In production environments, set the _silent_ flag to forward unmodified response bodies. In any case, validation headers are set that allow to trace down violations to your OpenAPI definition.
Requirements
We run all tests with Node.js versions 10 and 12. Higher versions could possibly work but are not currently
supported.
Installation
To install the CLI globally:
npm install -g openapi-cop
To install the package locally (inside an existing NPM package) and run the proxy programatically:
The openapi-cop node package installs itself as an executable linked as openapi-cop. Run the command with
the --help flag to get information about the CLI:
Usage: openapi-cop [options]
Options:
-s, --file <file> path to the OpenAPI definition file
-h, --host <host> the host of the proxy server (default: "localhost")
-p, --port <port> port number on which to run the proxy (default: 8888)
-t, --target <target> full base path of the target API (format: http(s)://host:port/basePath)
--default-forbid-additional-properties disallow additional properties when not explicitly specified
--silent do not send responses with validation errors, just set validation headers
-w, --watch [watchLocation] watch for changes in a file or directory (falls back to the OpenAPI file)
and restart server accordingly
-v, --verbose show verbose output
-V, --version output the version number
-h, --help output usage information
The proxy validates the requests and responses in the communication with a target server. By default, the proxy will
respond with a 500 status code when the validation fails.
When the --silent is provided, the proxy will forward the server's response body without modification. In this case,
the validation headers are still added.
Module Usage
To run the proxy programatically use runProxy, which returns a Promise<http.Server>:
Can I use this in production?
This tool was originally meant for development scenarios. You can use this in production but we cannot give you any security guarantees. Also running the JSON schema validation is quite CPU-expensive and you likely do not want to validate in both directions in production because of that overhead.
Do I need this if I already generate my client from the OpenAPI?
In case your client and server code is generated from the OpenAPI spec, you might still want to use this proxy. Generated code does usually only provide typing information, but JSON Schema defines much more than that. For example you might define a string property to match a given RegEx and start with the letter "C". This will not be ensured by your generated code at compile time, but will be caught by openapi-cop.
Can I use this with other programming languages?
Yes. This is a proxy and not a middleware. You can use it between whatever HTTP-endpoints you have in your architecture.
