There is an issue with the underlying cebe/php-openapi library for Windows users that prevents us from calling readFromYamlFile(). @scaytrase has opened an issue on their repo so hopefully it'll be fixed soon. However, this bug is fixed in the underlying library the examples in the README file will not work as described for Windows users.

In order to read the YAML file I had to do something slightly different to the example:

$yamlFile = "api.yaml";

$validator = new \OpenAPIValidation\PSR7\ResponseValidator(
    \cebe\openapi\Reader::readFromYaml(file_get_contents($yamlFile))
);

$operation = new \OpenAPIValidation\PSR7\OperationAddress('/password/gen', 'get') ;

$validator->validate($operation, $request);

Would you like me to submit a PR to update the README examples to use file_get_contents() as a temporary solution?

I have also found that I am unable to run the test suite for the same reason. For reference, this is the error I get:

OpenAPIValidationTests\PSR7\CompleteTest::test_request_green cebe\openapi\exceptions\UnresolvableReferenceException: Can not resolve references for a specification given as a relative path.

I tried updating the failing test to use file_get_contents() but I get another error:

OpenAPIValidationTests\PSR7\CompleteTest::test_request_green OpenAPIValidation\PSR7\Exception\Request\RequestBodyMismatch: OpenAPI spec does not match the body of the request [/complete/{param1}/{param2},post]: Argument 1 passed to OpenAPIValidation\Schema\Validator::__construct() must be an instance of cebe\openapi\spec\Schema, instance of cebe\openapi\spec\Reference given

I'll have a crack at getting the test suite to run but I thought I'd bring this up in case it's affecting anyone else.

Hey there! I think there is a great chance for you folks to collaborate here. I am opening up the conversation here as it has the most stars, but it could be anywhere. They are all good implementations.

• @mieszkomalawski - https://gitlab.com/mmalawski/openapi-validator
• @hkarlstrom - https://github.com/hkarlstrom/openapi-validation-middleware

These packages all do the same thing.

1. Read a JSON or YAML file
2. Allow general PSR-7/PSR-15 middleware to be created for this file
3. Offer at least request validation (maybe response too)
4. Offer errors in various formats (RFC 7807 or others)
5. Support custom formats

I think you could all team up on a new @thephpleague project. I bet they'd take you if you all worked together, I can provide some guidance if needed, and then you just archive things on GitHub, mark them abandoned on Packagist, and the mega-package lives on forever despite whatever hurdles life throw at you individually.

LMK if you like the sound of this. OpenAPI can be just too much for single maintainers to handle solo. 🤷‍♂

I'm trying a simple bit of validation:

$myJsonSpec = '{...}';
$serverRequest = // PSR-7 message constructed by hand
$validator = \OpenAPIValidation\PSR7\ServerRequestValidator::fromJson($myJsonSpec);
$result = $validator->validate($serverRequest);

If all validates correctly I get this object returned:

OpenAPIValidation\PSR7\OperationAddress

For example:

object(OpenAPIValidation\PSR7\OperationAddress)#47 (2) {
  ["method":protected]=>
  string(3) "get"
  ["path":protected]=>
  string(15) "/ccodes/{ccode}"
}

The method and the path are keys to the operation, so I'm wondering whether it would be more useful to return the operation? The operationId could then be used to fire off further parsing of the server request (I'm looking at generated code to do this). I may be missing the reason for returning OperationAddress though.

Without knowing the operationId at this point, further work needs to be done to decode the method and path to find it. It may already be available somewhere I'm not just looking.

Also, the validate() method either returns this object, or throws an exception. The exception is just for one of what may be many validation errors. Is there a way to find all the validation errors rather than just reporting on one? Looking at the validator, I can see it scatters _errors across many of the nodes of its internal data structures, so I'm guessing it does scan for multiple validation errors at once.

This is more a question than anything. Hopefully it is covered somewhere.

So, for every inbound request to an API, the payload needs to be validated against an OpenAPI definition. That definition needs to be parsed/lexed/whatever into some form that can be used to do the validation. That will take time and resources to do.

So, is that parsed form of the OpenAPI definition cached? Can it even be cached? Does the full parsing happen on every API call, maybe it's not as resource intensive as I think it may be (but judging by the speed of client-based OpenAPI editors once a 3.0 definition goes above a few hundred lines, I would assume it is fairly intense).

I haven't tried it yet, but it looks ideal for a project I'm working on now.

Second part of exception consistency (fixes #18)

I've got some spare time, so here is some improvements:

• [x] Generic validation exception signature (all validators now declare exceptions they will throw, incl. top-level request and response validators)
• [x] Consistent exception hierarchy
• [x] More precise exception rethrow control - switch-case rethrow will not catch unintended exceptions now
• [x] Make inner validators throw needed exceptions directly (get rid of magic error codes and additional switch-cases)
• [x] Update docs with new exceptions (I noticed there was no BreadCrumb usage example in the readme, probably this PR is a good place to add it)

I'm trying to use this library to generate error messages that are visible to the end-user. Thus I need a way to find out the name of the property that's not valid.

As far as I can tell there is no way to this right now. I'm thinking of something like that:

try {
 // Validation
} catch (OpenAPIValidation\PSR7\Exception\Validation\InvalidBody $e) {
    $property = $e->getInvalidPropertyName();
    echo "The field '$property' is not valid. Please correct it and try again."
}

Is something like that possible and if not are there any plans to implement this?

Thanks

Hello,

I'm trying to validate a request containing two query parameters.

Upon doing so i am receiving a RequestQueryArgumentMismatch due to the query arguments of the request not being a type 'integer', and a 'string' given.

As of version 3.0 of openapi, query parameters can be specified as an integer along with other non string data types, i would have thought the PSR-7 validator would be able to look at a query parameter and check if it is an integer within a string.

https://swagger.io/docs/specification/describing-parameters/

When url field in server object containts relative path, for example "/v2" or "/", validator can't match request with operation definition.

For example, if we have definition:

servers:
  - url: '/v1'
paths:
  /operations:
    post:
...

and try to validate POST request "http://localhost/v1/operations", we get an exception "OpenAPI spec contains no such operation [/operations,post]". But if we specify server url as "http://localhost/v1", everything works fine.

If I understand it correctly, there is no possibility to match any request, when server path is relative (or if "servers" section is omitted altogether, and default value is one server with url="/").

From OpenAPI documentaion it is not very clear what to do in this case https://swagger.io/docs/specification/api-host-and-base-path/#relative-urls https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md#serverObject

The URLs in the servers array can be relative, such as /v2. In this case, the URL is resolved against the server that hosts the given OpenAPI definition.

Should validator ignore server name from request, when path is relative? Or somehow get "server that hosts the given OpenAPI definition" and match it to server name from request?

Do you have any suggestions?

Key changes:

• Validator instance is now statless. It can be re-used to validate other data against other schema.
• Consistent \Schema\Exception
  • new exception class - InvalidSchema - for converting defensive respect validations. It's considered Runtime, so not reflected in sigatures as defencive check
  • new exception class - SchemaMismatch - as a base class for all other validation exceptions
  • new exception hierarchy
    • SchemaMismatch
      • supports breadcrumbs on this level
    • ValidationKeywordFailed (I find this naming strange, but didn't touch it)
    • TypeMismatch (keyword === type)
    • FormatMismatch (keyword === type)
• Validator interface

Also I've updated all signatures in \Schema namespace to reflect real exceptions that are expected as validation result.

Fixes #14, partially #18

Fixes #11 (Improves)

Key notes:

• Totally decoupled ServerRequestValidator and ResponseValidator
• Validators are created using builder
• Schemas are created with designated schema factories. The should be probably moved to Schema-level namespace and reused from other components
• ~Tried to make psr/cache optional (suggested) in composer.json, since there is a way without using its classes for PSR-7 validator for now. But we should go for it further and refactor other cache usages or revert this change~

Also:

• No additional unit tests are written at the moment, neither old refactored. I'll create them after architectural agreements are reached

Hi,

The InvalidSchema exception (and maybe others) will only display the wrapping error and omit the related ones when the error is a composite one (such as Respect/Validation's AllOf).

The issue with this is we don't know what the errors actually are, which makes it really hard to troubleshoot, e.g:

OpenAPIValidation\PSR7\Exception\Response\ResponseBodyMismatch: OpenAPI spec does not match the body of the response [/api/test,get,200]: Schema(or data) validation failed: All of the required rules must pass for "{\"data\":\"test\"}"

This doesn't tell you what the actual (related) exceptions are.

Hope that makes sense!

Thanks,

Yannick

As described here https://swagger.io/docs/specification/authentication/ possible security schemas are:

• [x] http
• [x] apiKey
• [ ] openIdConnect
• [ ] oauth2

See \OpenAPIValidation\PSR7\Validators\SecurityValidator This ticket is to track activities about that

Hi,

Related to https://github.com/lezhnev74/openapi-psr7-validator/issues/65 and idea of moving this package to php league.

I personally believe that in order to spread good practices and allow as many folks as possible to use openapi validation, we should focus on having as little dependencies as possible.

Currently, this package uses cebe/php-openapi which forces installation of symfony/yaml component. This indirectly forces a minimal version of Symfony (version >=4 I believe) and cuts off some potential developers. IMO input source (json/yaml) should be separated from parsing library. It should be up to developer to parse yaml/json (symfony/yaml could be a suggestion in composer.json) and then pass array or stdClass to cebe/php-openapi. This may seem like a bit of extra effort from developer but it will result in less dependencies and higher adoption.

Not sure that could be considered as a bug or maybe an improvement...

When checking the solution applied for #57 I realised that this library discards the exceptions from the inner validations done with OneOf and AnyOf:

Here, for example src/Schema/Keywords/OneOf.php:

        foreach ($oneOf as $schema) {
            try {
                $schemaValidator->validate($data, $schema, $this->dataBreadCrumb);
                $matchedCount++;
            } catch (SchemaMismatch $e) {
                // that did not match... its ok         <<<<<<<<< HERE >>>>>>>>>>
            }
        }

        if ($matchedCount !== 1) {
            throw KeywordMismatch::fromKeyword('oneOf', $data, sprintf('Data must match exactly one schema, but matched %d', $matchedCount));
        }

so if we have in definition something like:

      properties:
        some_property_here:
          oneOf:
            - type: object
            - type: string
              maxLength: 10
              minLength: 1

And send a request with:

{
    "some_property_here": "String with more than 10 characters"
}

One would expected to see the message: Keyword validation failed: Data must match exactly one schema, but matched 0 from the OneOf (which is ok and displaying correctly) but also the reason why it didn't match: Length of '35' must be shorter or equal to 10 but this last message gets discarded when we catch SchemaMismatch $e and don't do anything with it...

So maybe there's a way to display those failed constraints and messages to get more specific errors?

The idea I had was to use the previous feature from exceptions as you're doing already in some places. So here (with some line breaks to make it more readable):

        $prev = null;
        foreach ($oneOf as $schema) {
            try {
                $schemaValidator->validate($data, $schema, $this->dataBreadCrumb);
                $matchedCount++;
            } catch (SchemaMismatch $e) {
                $prev = $e; // that did not match... its ok
            }
        }

...

            throw KeywordMismatch::fromKeyword(
                'oneOf',
                $data,
                sprintf('Data must match exactly one schema, but matched %d', $matchedCount),
                $prev // <<< HERE, there's already this argument in `fromKeyword` method
            );

Of course you need to consider that this catch block might get executed more than once, and you would need to somehow get/group all those inner exceptions (with my example I'm overriding $prev everytime)... idk, maybe we could start with at least 1 specific exception (which is better than none) and implement this multiple exception handling later 🤷‍♂ 🙂

Some way to validate the request and response of callbacks would be great.

I think the validation per se would work, but there needs to be some other way to resolve the specs. Right now, the specs are loaded based on a passed OperationAddress which doesn't fit for callbacks.

Currently, the package does not support serialization of parameters.

This ticket is to track efforts for adding serialization support to the package.

Docs:

• https://swagger.io/docs/specification/serialization/
• https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md#support-for-x-www-form-urlencoded-request-bodies

Notes:

• application/x-www-form-urlencoded body messages cannot be fully supported without serialization support
• #38