-
-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature]: Required Access to resource's OpenAPI attributes whose validation is failing #609
Comments
Hi @rohan-97 There's not need for extension; it's a use case for a password format defined in OpenAPI 3.x I would see this as a format unmarshaller which returns extended string type (similar to SecretStr in pydantic) and converting to string by default will give us masked string. As a workaround for now I would catch/override |
My second thought I noticed you want to mask invalid value of a property. That means format unmarshaller won't event trigger. |
Hello @p1c2u , However I was able to get the resource's openapi attributes by checking attributes of schema: provides detail about OpenAPI attributes Using above attribute error.schema_errors[0].schema, I am able to query attributes of the validation which is failing. |
Suggested Behavior
Hello, I am currently using OpenAPI-core with my Flask app and I am customizing validation error responses as per following comment.
The issue I am facing is that there are some fields in request which holds sensitive information, e.g credentials, Auth-tokens.
When the validation fails on these fields we get an error string which includes value of these sensitive fields.
E.g consider following response,
As we can see in above example, the password of user is exposed as part of response.
I do want to add validation for these fields however I don't want the values of these fields to be send as a response.
For that I checked whether there is a flag in OpenAPI which marks a field as sensitive and found this issue which suggested using
x-pii: true
field in the yamlAlso I used
FlaskOpenAPIErrorsHandler
to fetch the error object and see if we get details of the flags which are set for the field where the validation failed.Following is my Flask code
And following is the Yaml file
Please check the TODO comment inside handle_error method.
If the validation of field
flag
fails and if we have access to attributes offlag
yaml properties e.g below propertiesThen we would be able to have better customization and control over the response message.
Why is this needed?
Many times we need to have better control over the response generated on the failure of validation.
Current error messages generated by openapi-core exposes the field contents as part of response which makes openapi-core useless if there are sensitive fields in request body which needs to be validated.1
Having access to OpenAPI attributes of any field would be very helpful in generating custom response messages and would help us to perform validation on fields with sensitive data and also not expose the sensitive information to the response.
References
OAI/OpenAPI-Specification#2190
Would you like to implement a feature?
Yes
The text was updated successfully, but these errors were encountered: