Support for multipart/form-data in the request body

package.json

@@ -42,6 +42,7 @@
     "@types/type-is": "^1.6.3",
     "@types/uri-template-lite": "^19.12.1",
     "@types/urijs": "^1.19.17",
+    "@types/whatwg-mimetype": "^3.0.0",
     "@typescript-eslint/eslint-plugin": "^2.34.0",
     "@typescript-eslint/parser": "^4.33.0",
     "abstract-logging": "^2.0.1",
@@ -50,6 +51,7 @@
     "eslint-config-prettier": "^7.2.0",
     "eslint-plugin-prettier": "^4.2.1",
     "fast-xml-parser": "^4.2.0",
+    "form-data": "^4.0.0",
     "gavel": "^10.0.3",
     "glob": "^7.2.0",
     "http-string-parser": "^0.0.6",

packages/http-server/src/__tests__/body-params-validation.spec.ts

@@ -4,6 +4,8 @@ import fetch, { RequestInit } from 'node-fetch';
 import { createServer } from '../';
 import { ThenArg } from '../types';
 import * as faker from '@faker-js/faker/locale/en';
+import { Dictionary } from '@stoplight/types';
+import * as FormData from 'form-data';
 
 const logger = createLogger('TEST', { enabled: false });
 
@@ -718,6 +720,83 @@ describe('body params validation', () => {
           tags: [],
           security: [],
         },
+        {
+          id: '?http-operation-id?',
+          method: 'post',
+          path: '/multipart-form-data-body-required',
+          responses: [
+            {
+              id: faker.random.word(),
+              code: '200',
+              headers: [],
+              contents: [
+                {
+                  id: faker.random.word(),
+                  mediaType: 'application/json',
+                  schema: {
+                    type: 'object',
+                    properties: {
+                      type: {
+                        type: 'string',
+                      },
+                    },
+                  },
+                  examples: [
+                    {
+                      id: faker.random.word(),
+                      key: 'test',
+                      value: { type: 'foo' },
+                    },
+                  ],
+                  encodings: [],
+                },
+              ],
+            },
+          ],
+          servers: [],
+          request: {
+            body: {
+              id: faker.random.word(),
+              required: true,
+              contents: [
+                {
+                  id: faker.random.word(),
+                  mediaType: 'multipart/form-data',
+                  schema: {
+                    type: 'object',
+                    properties: {
+                      status: {
+                        type: 'string'
+                      },
+                      lines: {
+                        type: 'string'
+                      },
+                      test_img_file: {
+                        type: 'string'
+                      },
+                      test_json_file: {
+                        type: 'string'
+                      },
+                      num: {
+                        type: 'integer'
+                      },
+                    },
+                    required: ['status'],
+                    $schema: 'http://json-schema.org/draft-07/schema#',
+                  },
+                  examples: [],
+                  encodings: [],
+                },
+              ],
+            },
+            headers: [],
+            query: [],
+            cookie: [],
+            path: [],
+          },
+          tags: [],
+          security: [],
+        },
       ]);
     });
 
@@ -796,5 +875,44 @@ describe('body params validation', () => {
         expect(response.status).toBe(200);
       });
     });
+
+    describe('valid multipart form data parameter provided', () => {
+      let requestParams: Dictionary<any>;
+      beforeEach(() => {
+        const formData = new FormData();
+        formData.append("status", "--=\"");
+        formData.append("lines", "\r\n\r\n\s");
+        formData.append("test_img_file", "@test_img.png");
+        formData.append("test_json_file", "<test_json.json");
+        formData.append("num", "10");
+
+        requestParams = {
+          method: 'POST',
+          body: formData
+        };
+      });
+
+      describe('boundary string generated correctly', () =>{
+        test('returns 200', async () => {
+          const response = await makeRequest('/multipart-form-data-body-required', requestParams);
+          expect(response.status).toBe(200);
+          expect(response.json()).resolves.toMatchObject({ type: 'foo' });
+        });
+      });
+
+      describe('missing generated boundary string due to content-type manually specified in the header', () => {
+        test('returns 415 & error message', async () => {
+          requestParams['headers'] = { 'content-type':'multipart/form-data' };
+          const response = await makeRequest('/multipart-form-data-body-required', requestParams);
+          expect(response.status).toBe(415);
+          expect(response.json()).resolves.toMatchObject({
+            detail: "Boundary parameter for multipart/form-data is not defined or generated in the request header. Try removing manually defined content-type from your request header if it exists.",
+            status: 415,
+            title: "Invalid content type",
+            type: "https://stoplight.io/prism/errors#INVALID_CONTENT_TYPE",
+          });
+        });
+      });
+    });
   });
 });

packages/http-server/src/__tests__/test_json.json

@@ -0,0 +1,7 @@
+{
+  "surname" : "Doe",
+  "name" : "John",
+  "city" : "Manchester",
+  "address" : "5 Main Street",
+  "hobbies" : ["painting","lawnbowls"]
+}

packages/http/package.json

@@ -36,10 +36,12 @@
     "json-schema-faker": "0.5.0-rcv.40",
     "lodash": "^4.17.21",
     "node-fetch": "^2.6.5",
+    "parse-multipart-data": "^1.5.0",
     "pino": "^6.13.3",
     "tslib": "^2.3.1",
     "type-is": "^1.6.18",
-    "uri-template-lite": "^22.9.0"
+    "uri-template-lite": "^22.9.0",
+    "whatwg-mimetype": "^3.0.0"
   },
   "publishConfig": {
     "access": "public"

packages/http/src/mocker/index.ts

@@ -1,6 +1,7 @@
 import { IPrismComponents, IPrismDiagnostic, IPrismInput } from '@stoplight/prism-core';
 import {
   DiagnosticSeverity,
+  Dictionary,
   IHttpHeaderParam,
   IHttpOperation,
   IHttpOperationResponse,
@@ -42,7 +43,9 @@ import {
   deserializeFormBody,
   findContentByMediaTypeOrFirst,
   splitUriParams,
+  parseMultipartFormDataParams
 } from '../validator/validators/body';
+import { parseMIMEHeader } from '../validator/validators/headers';
 import { NonEmptyArray } from 'fp-ts/NonEmptyArray';
 export { resetGenerator as resetJSONSchemaGenerator } from './generator/JSONSchema';
 
@@ -68,7 +71,6 @@ const mock: IPrismComponents<IHttpOperation, IHttpRequest, IHttpResponse, IHttpM
         logger.info(`Request contains an accept header: ${acceptMediaType}`);
         config.mediaTypes = acceptMediaType.split(',');
       }
-
       return config;
     }),
     R.chain(mockConfig => negotiateResponse(mockConfig, input, resource)),
@@ -137,19 +139,24 @@ function runCallbacks({
   we cannot carry parsed informations in case of an error — which is what we do need instead.
 */
 function parseBodyIfUrlEncoded(request: IHttpRequest, resource: IHttpOperation) {
-  const mediaType = caseless(request.headers || {}).get('content-type');
-  if (!mediaType) return request;
+  const contentTypeHeader = caseless(request.headers || {}).get('content-type');
+  if (!contentTypeHeader) return request;
+  const [multipartBoundary, mediaType] = parseMIMEHeader(contentTypeHeader);
 
-  if (!is(mediaType, ['application/x-www-form-urlencoded'])) return request;
+  if (!is(mediaType, ['application/x-www-form-urlencoded', 'multipart/form-data'])) return request;
 
   const specs = pipe(
     O.fromNullable(resource.request),
     O.chainNullableK(request => request.body),
     O.chainNullableK(body => body.contents),
     O.getOrElse(() => [] as IMediaTypeContent[])
   );
-
-  const encodedUriParams = splitUriParams(request.body as string);
+
+  const requestBody = request.body as string;
+  const encodedUriParams = pipe(
+    mediaType === "multipart/form-data" ? parseMultipartFormDataParams(requestBody, multipartBoundary) : splitUriParams(requestBody),
+    E.getOrElse<IPrismDiagnostic[], Dictionary<string>>(() => ({} as Dictionary<string>))
+  );
 
   if (specs.length < 1) {
     return Object.assign(request, { body: encodedUriParams });

packages/http/src/validator/index.ts

@@ -21,6 +21,7 @@ import { findOperationResponse } from './utils/spec';
 import { validateBody, validateHeaders, validatePath, validateQuery } from './validators';
 import { NonEmptyArray } from 'fp-ts/NonEmptyArray';
 import { ValidationContext } from './validators/types';
+import { parseMIMEHeader } from '../validator/validators/headers';
 import { wildcardMediaTypeMatch } from './utils/wildcardMediaTypeMatch';
 
 export { validateSecurity } from './validators/security';
@@ -53,15 +54,16 @@ const isMediaTypeSupportedInContents = (mediaType?: string, contents?: IMediaTyp
 
 const validateInputIfBodySpecIsProvided = (
   body: O.Option<unknown>,
-  mediaType: string,
   requestBody: O.Option<IHttpOperationRequestBody>,
+  mediaType?: string,
+  multipartBoundary?: string,
   bundle?: unknown
 ) =>
   pipe(
     sequenceOption(body, requestBody),
     O.fold(
       () => E.right(body),
-      ([body, contents]) => validateBody(body, contents.contents ?? [], ValidationContext.Input, mediaType, bundle)
+      ([body, contents]) => validateBody(body, contents.contents ?? [], ValidationContext.Input, mediaType, multipartBoundary, bundle)
     )
   );
 
@@ -75,17 +77,19 @@ const validateInputBody = (
     checkRequiredBodyIsProvided(requestBody, body),
     E.map(b => [...b, caseless(headers || {})] as const),
     E.chain(([requestBody, body, headers]) => {
+      const contentTypeHeader = headers.get('content-type');
+      const [multipartBoundary, mediaType] = contentTypeHeader ? parseMIMEHeader(contentTypeHeader) : [undefined, undefined];
+
       const contentLength = parseInt(headers.get('content-length')) || 0;
       if (contentLength === 0) {
         // generously allow this content type if there isn't a body actually provided
-        return E.right([requestBody, body, headers] as const);
+        return E.right([requestBody, body, mediaType, multipartBoundary] as const);
       }
 
       let errorMessage = 'No supported content types, but request included a non-empty body';
       if (O.isSome(requestBody)) {
-        const mediaType = headers.get('content-type');
         if (isMediaTypeSupportedInContents(mediaType, requestBody.value.contents)) {
-          return E.right([requestBody, body, headers] as const);
+          return E.right([requestBody, body, mediaType, multipartBoundary] as const);
         }
 
         const specRequestBodyContents = requestBody.value.contents || [];
@@ -103,10 +107,7 @@ const validateInputBody = (
         },
       ]);
     }),
-    E.chain(([requestBody, body, headers]) => {
-      const mediaType = headers.get('content-type');
-      return validateInputIfBodySpecIsProvided(body, mediaType, requestBody, bundle);
-    })
+    E.chain(([requestBody, body, mediaType, multipartBoundary]) => validateInputIfBodySpecIsProvided(body, requestBody, mediaType, multipartBoundary, bundle))
   );
 
 export const validateInput: ValidatorFn<IHttpOperation, IHttpRequest> = ({ resource, element }) => {