-
-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security definition in query overwritten with additional query parameters #111
Comments
Now had tome to start digging, it turns out that unknown query parameters are only rejected if any query parameters are defined for that path.
Since security query parameters dont appear in the schema.query they are rejected in the middleware. Offtopic#1: If we reject the request on an unknown query parameter we should always reject even if no query parameters were defined at all - so I would remove
I would rather skip the validation if there arent any query parameters:
Offtopic#2: How about making the rejectUnknownQueryParams optional? Regarding this issue: |
I came up with two options to fix this: Option A:
This would also 'validate' all security parameters (not only query), which is already done in the security middleware. Furthermore, the security parameters would appear in req.schema. Option B:
and fetch them in the middleware like:
I will implement the whitelist option and send a PR, feel free to implement a better solution |
fix-#111 endpoint query parameters overwrite security query parameters
@comino, your fix is in 2.14.3. thanks again! |
Using a APIKey as quere parameter and having more parameters causes the apiKey query parameter beeing rejected "Unknown query parameter apiKey"
Example:
Both tests fail with 400. This was recently introduced and working before.
Investigating
The text was updated successfully, but these errors were encountered: