Title: [Feature]: Required Access to resource's OpenAPI attributes whose validation is failing · Issue #609 · python-openapi/openapi-core · GitHub
Open Graph Title: [Feature]: Required Access to resource's OpenAPI attributes whose validation is failing · Issue #609 · python-openapi/openapi-core
X Title: [Feature]: Required Access to resource's OpenAPI attributes whose validation is failing · Issue #609 · python-openapi/openapi-core
Description: Suggested Behavior Hello, I am currently using OpenAPI-core with my Flask app and I am customizing validation error responses as per following comment. The issue I am facing is that there are some fields in request which holds sensitive ...
Open Graph Description: Suggested Behavior Hello, I am currently using OpenAPI-core with my Flask app and I am customizing validation error responses as per following comment. The issue I am facing is that there are some ...
X Description: Suggested Behavior Hello, I am currently using OpenAPI-core with my Flask app and I am customizing validation error responses as per following comment. The issue I am facing is that there are some ...
Opengraph URL: https://github.com/python-openapi/openapi-core/issues/609
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Feature]: Required Access to resource's OpenAPI attributes whose validation is failing","articleBody":"### Suggested Behavior\r\n\r\nHello, I am currently using OpenAPI-core with my Flask app and I am customizing validation error responses as per [following comment](https://github.com/python-openapi/openapi-core/issues/564#issuecomment-1527092823).\r\n\r\nThe issue I am facing is that there are some fields in request which holds sensitive information, e.g credentials, Auth-tokens.\r\nWhen the validation fails on these fields we get an error string which includes value of these sensitive fields.\r\n\r\nE.g consider following response, \r\n```\r\n{\r\n \"errors\": [\r\n {\r\n \"class\": \"\u003cclass 'openapi_core.validation.schemas.exceptions.InvalidSchemaValue'\u003e\",\r\n \"status\": 400,\r\n \"title\": \"Value {'flag': 'MyPassword1234'} not valid for schema of type object: (\u003cValidationError: \\\"'MyPassword1234' is too short\\\"\u003e,)\"\r\n }\r\n ]\r\n}\r\n```\r\nAs we can see in above example, the password of user is exposed as part of response.\r\nI do want to add validation for these fields however I don't want the values of these fields to be send as a response.\r\n\r\nFor that I checked whether there is a flag in OpenAPI which marks a field as sensitive and found [this issue](https://github.com/OAI/OpenAPI-Specification/issues/2190#issuecomment-609011614) which suggested using`x-pii: true` field in the yaml\r\n\r\nAlso I used `FlaskOpenAPIErrorsHandler` to fetch the error object and see if we get details of the flags which are set for the field where the validation failed.\r\n\r\nFollowing is my Flask code\r\n```python3\r\n#!/usr/bin/python3\r\n\"\"\"Test server.\"\"\"\r\n\r\nfrom flask import Flask, request, jsonify\r\nfrom openapi_core.contrib.flask.decorators import FlaskOpenAPIViewDecorator, FlaskOpenAPIErrorsHandler\r\nfrom openapi_core import Spec\r\n\r\n# Custom Error Handler block\r\nclass ErrorHandler(FlaskOpenAPIErrorsHandler):\r\n \"\"\"\"Custom Error Handler\"\"\"\r\n def handle(self, errors:list):\r\n return jsonify({\r\n \"causedBy\" : [self.handle_error(error) for error in errors]\r\n }), self.OPENAPI_ERROR_STATUS.get(errors[0].__class__, 400)\r\n\r\n def handle_error(self, error):\r\n \"\"\"\r\n Converts error object into error string message\r\n\r\n :param error: Error object which stores exception message\r\n :type error: Exception object\r\n :return: Error message string corresponding to error object\r\n :rtype: str\r\n \"\"\"\r\n if error.__cause__ is not None:\r\n error = error.__cause__\r\n # TODO: If the field in error object has x-pii: true, return a generic string which does not include it's value\r\n if not (hasattr(error, \"value\") and hasattr(error, \"type\") and hasattr(error, \"schema_errors\")):\r\n return str(error)\r\n return f\"Value(s) {error.value} not valid for schema of type {error.type} errors: {', '.join([err.message for err in error.schema_errors])}\"\r\n\r\n\r\nSPEC = \"test.yaml\"\r\nobj = ErrorHandler()\r\nopenapi = FlaskOpenAPIViewDecorator.from_spec(Spec.from_file_path(SPEC), openapi_errors_handler=obj)\r\n\r\napp = Flask(__name__)\r\n\r\n@app.route(\"/test\", methods=[\"POST\"])\r\n@openapi\r\ndef read_permission():\r\n \"\"\"Test function\"\"\"\r\n return jsonify({\r\n \"flag stri_normal_json\": request.json.get(\"flag\", 1)\r\n })\r\n\r\nif __name__ == \"__main__\":\r\n app.run(host=\"0.0.0.0\", port=345, debug=True)\r\n```\r\n\r\nAnd following is the Yaml file\r\n\r\n```yaml\r\nopenapi: '3.0.2'\r\ninfo:\r\n title: Test Title\r\n version: '1.0'\r\nservers:\r\n - url: http://localhost:345/\r\npaths:\r\n /test:\r\n post:\r\n requestBody:\r\n content:\r\n application/json:\r\n schema:\r\n type: object\r\n required:\r\n - flag\r\n properties:\r\n flag:\r\n x-pii: true\r\n type: string\r\n pattern: \"^[\\\\w.-]*$\"\r\n minLength: 6\r\n maxLength: 20\r\n responses:\r\n 200:\r\n description: Sample response\r\n content:\r\n application/json:\r\n schema:\r\n type: object\r\n properties:\r\n flag stri_json:\r\n type: string\r\n minLength: 6\r\n maxLength: 20\r\n```\r\nPlease check the TODO comment inside handle_error method.\r\n\r\nIf the validation of field `flag` fails and if we have access to attributes of `flag` yaml properties e.g below properties\r\n```\r\n flag:\r\n x-pii: true\r\n type: string\r\n pattern: \"^[\\\\w.-]*$\"\r\n minLength: 6\r\n maxLength: 20\r\n```\r\n\r\nThen we would be able to have better customization and control over the response message.\r\n\r\n### Why is this needed?\r\n\r\nMany times we need to have better control over the response generated on the failure of validation.\r\nCurrent error messages generated by openapi-core exposes the field contents as part of response which makes openapi-core useless if there are sensitive fields in request body which needs to be validated.1\r\n\r\n\r\nHaving access to OpenAPI attributes of any field would be very helpful in generating custom response messages and would help us to perform validation on fields with sensitive data and also not expose the sensitive information to the response.\r\n\r\n\r\n\r\n### References\r\n\r\nhttps://github.com/OAI/OpenAPI-Specification/issues/2190\r\n\r\n### Would you like to implement a feature?\r\n\r\nYes","author":{"url":"https://github.com/rohan-97","@type":"Person","name":"rohan-97"},"datePublished":"2023-06-23T09:44:00.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":3},"url":"https://github.com/609/openapi-core/issues/609"}| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:21ad9f15-9354-9841-e5a8-55e876a79f72 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 8360:16621D:C32CAA:112825C:6978B89B |
| html-safe-nonce | 5fba0368eb7c6f68505b8b7cdfe816e5ff0b0f406e63463041f454b15850b238 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4MzYwOjE2NjIxRDpDMzJDQUE6MTEyODI1Qzo2OTc4Qjg5QiIsInZpc2l0b3JfaWQiOiIyNTYwNDgwMzk0OTE4NTQxNDY4IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | b6a37db091359c49055e80a53ecb3dc4fafe6cd914d75cdb074cafe95beced3d |
| hovercard-subject-tag | issue:1771152040 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/python-openapi/openapi-core/609/issue_layout |
| twitter:image | https://opengraph.githubassets.com/c98bc9527efb41cc6536e6f840cb533d4f3bdcc2a5322a3596e3896f7c4842fe/python-openapi/openapi-core/issues/609 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/c98bc9527efb41cc6536e6f840cb533d4f3bdcc2a5322a3596e3896f7c4842fe/python-openapi/openapi-core/issues/609 |
| og:image:alt | Suggested Behavior Hello, I am currently using OpenAPI-core with my Flask app and I am customizing validation error responses as per following comment. The issue I am facing is that there are some ... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | rohan-97 |
| hostname | github.com |
| expected-hostname | github.com |
| None | 2981c597c945c1d90ac6fa355ce7929b2f413dfe7872ca5c435ee53a24a1de50 |
| turbo-cache-control | no-preview |
| go-import | github.com/python-openapi/openapi-core git https://github.com/python-openapi/openapi-core.git |
| octolytics-dimension-user_id | 126442889 |
| octolytics-dimension-user_login | python-openapi |
| octolytics-dimension-repository_id | 104200746 |
| octolytics-dimension-repository_nwo | python-openapi/openapi-core |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 104200746 |
| octolytics-dimension-repository_network_root_nwo | python-openapi/openapi-core |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | f8aa86d87c47054170094daaf9699b27a28a8448 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width