2

I have an API gateway with the following schema:

 {
  "swagger": "2.0",
  "info": {
    "description": "This is a sample server Petstore server.  You can find out more about     Swagger at [http://swagger.io](http://swagger.io) or on [irc.freenode.net, #swagger](http://swagger.io/irc/).      For this sample, you can use the api key `special-key` to test the authorization     filters.",
    "version": "1.0.0",
    "title": "Swagger Petstore",
    "termsOfService": "http://swagger.io/terms/",
    "contact": {
      "email": "apiteam@swagger.io"
    },
    "license": {
      "name": "Apache 2.0",
      "url": "http://www.apache.org/licenses/LICENSE-2.0.html"
    }
  },
  "paths": {
    "/pet": {
      "post": {
        "summary": "Add a new pet to the store",
        "description": "",
        "operationId": "addPet",
        "consumes": [
          "application/json",
          "application/xml"
        ],
        "produces": [
          "application/xml",
          "application/json"
        ],
        "parameters": [
          {
            "in": "body",
            "name": "body",
            "description": "Pet object that needs to be added to the store",
            "required": true,
            "schema": {
              "$ref": "#/definitions/Pet"
            }
          }
        ],
        "responses": {
          "405": {
            "description": "Invalid input"
          }
        }}
}},
  "definitions": {
    "Pet": {
      "required": ["id", "name"],
      "type": "object",
      "properties": {
        "id": {
          "type": "integer",
          "description": "Id of the pet",
          "example": 123
        },
        "name": {
          "type": "string",
          "description": "Name of the pet",
          "example": "Jammy"
        },
        "nickname": {
          "type": "string",
          "description": "Nickname of the pet",
          "example": "Jam"
        }
      }
    }
    
  }
}

When I send a request body with fields which are not present in the schema, I don't get 400 response from API gateway. I have applied the configuration to Validate body, headers, query string.

Is this an open issue in API gateway? Or am I missing something?

Jammy
  • 65
  • 7

1 Answers1

3

So with swagger v2 and openapiv3 specs the default behavior is to accept all additional properties that your spec does not define. If you include the required pet id and name and additional unused propertues like foo and bar, you post should succeed.

If you want more strict validation that fails when additional properties are sent then set additionalProperties to false in your pet schema or do that and change the spec version to 3.x.x

spacether
  • 2,136
  • 1
  • 21
  • 28
  • 1
    Is there a way to change this behaviour? Like using Open API 3.0 Spec? – Jammy Mar 24 '21 at 15:28
  • 2
    Yes I added another paragraph above with suggested fixes – spacether Mar 24 '21 at 15:29
  • 1
    FYI this is actually the JSON Schema part of OAS =] – Relequestual Mar 24 '21 at 15:39
  • After setting additionalProperties to false and changed my swagger spec version, the behaviour started working. But its not working for schemas where allOf is used. According to [aws api gateway docs](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-known-issues.html), looks like additionalProperties field is not supported. What am I missing now? – Jammy Mar 24 '21 at 16:38
  • Can you ask a new question with your allOf issue? additionalProperties must be omitted or true on all composed schemas for them to work. additionalProperties only lets in properties that are not defined in current_schema.properties. And current_schema.properties does not include properties in allOf schemas. – spacether Mar 24 '21 at 17:35
  • I found similar stackoverflow question for [allOf with additionalProperties](https://stackoverflow.com/questions/22689900/json-schema-allof-with-additionalproperties/24365393). So, accepting your answer – Jammy Mar 25 '21 at 08:10