-
-
Notifications
You must be signed in to change notification settings - Fork 767
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extract JSON request body validation to middleware #1588
Conversation
75c7aac
to
b1c1205
Compare
b1c1205
to
cc29db5
Compare
Pull Request Test Coverage Report for Build 3063498594
💛 - Coveralls |
|
||
VALIDATOR_MAP = { | ||
"parameter": ParameterValidator, | ||
"body": {"application/json": JSONBodyValidator}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have been struggling here with the distinction of parameter
and body
as there currently isn't a clear split: form
parameters are validated by the ParameterValidator
but also by the RequestBodyValidator
. The request body also contains parameters, at least in Swagger 2 (link). In OpenAPI there is a clearer distinction between "parameters" and the "body" (link).
Seeing this, I think a way forward could be to move everything of formdata to a separate body validator as well. This also simplifies things wrt accessing the ASGI scope only vs also needing the send
and receive
callables. Wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think that makes sense. Just let me rephrase to make sure I understand:
- Move form validation into a separate body validator so it has the full ASGI interface (scope, send, receive) available and can decide if / how to consume the stream
- Parameter validators will only have the scope available, possibly via a Request object which does not provide access to the stream.
Correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, indeed. This to limit the amount of places in which the body stream could be accessed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👋 does this code mean that the JSONBodyValidator
is string-literally matched? I ask because I was thinking about a case where an American business is insisting that a partner use their mm/dd/yyyy
format for dates. They already use Connexion, and I'd sooner specify a separate accept & content-type for their weird expected output, and have everything else use, nice readable, standard-compliant ISO-8601 as per https://datatracker.ietf.org/doc/html/rfc3339#section-5.6 and https://swagger.io/docs/specification/data-models/data-types/#string.
@@ -368,31 +372,6 @@ def test_post_wrong_content_type(simple_app): | |||
) | |||
assert resp.status_code == 415 | |||
|
|||
# this test checks exactly what the test directly above is supposed to check, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test is outdated as explained in comment.
|
First step towards #1525
This PR extracts the request body validation for json payloads into middleware. The body validator is pluggable by content type and implements the ASGI interface. This way the stream can be consumed and replayed as needed for each content type.
A couple of notes / high level ideas
Operation
classes intoOperationSpec
classes which provides an interface for an operation specification across Swagger 2 & OpenAPI 3. I don't think we should subclass the middleware operation classes for Swagger 2 & OpenAPI separately.