Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zod-OpenAPI not performing strict validation on response schemas #913

Open
Rick-Phoenix opened this issue Dec 27, 2024 · 5 comments
Open

Zod-OpenAPI not performing strict validation on response schemas #913

Rick-Phoenix opened this issue Dec 27, 2024 · 5 comments
Labels
triage

Comments

@Rick-Phoenix
Copy link

Which middleware has the bug?

@hono/zod-openapi

What version of the middleware?

0.18.3

What version of Hono are you using?

4.6.14

What runtime/platform is your app running on? (with version if possible)

Node 20.17.0

What steps can reproduce the bug?

  1. Create a select schema with drizzle-zod. Add a .omit() option to omit some fields and add .strict() to make sure that extra fields are not accepted.
  2. Assign the schema to a response with the createRoute API

What is the expected behavior?

  • When passing an object that has fields that are not included in the schema to c.json(), the response should be seen as invalid and throw a type error.

What do you see instead?

  • No error is shown, and the response is seen as valid.

Additional information

I have tested the schema and I can clearly see from the openAPI specs that "additionalProperties" is set to false.
Also, I can see from the autocomplete on c.json() that the schema does indeed exclude the extra properties that I am passing.

However, I can still pass extra fields and I get no error.
I only get an error if I am manually parsing the response with zod.
@yusukebe
Copy link
Member

Hi @Rick-Phoenix

Thank you for the issue. It is a known issue that the Zod OpenAPI can't validate the value of the response: #181

@askorupskyy
Copy link
Contributor

askorupskyy commented Jan 7, 2025
edited
Loading 

function strictJSONResponse<
  C extends Context,
  S extends ZodSchema,
  U extends StatusCode
>(c: C, schema: S, data: Parameters<Context['json']>[0], statusCode: U) {
  const validatedResponse = schema.safeParse(data);

  if (!validatedResponse.success) {
    return c.json(
      {
        message: 'Strict response validation failed',
      },
      500
    );
  }

  return c.json(validatedResponse.data as z.infer<S>, statusCode);
}

worked for me. maybe we could make this a helper?

@Rick-Phoenix
Copy link
Author

Would that work with parseAsync too?

@askorupskyy
Copy link
Contributor

@Rick-Phoenix yes just make your function async

@yusukebe
Copy link
Member

yusukebe commented Jan 8, 2025

@askorupskyy

Ah, I'm also considering the same approach: using a helper to validate the data before c.json()! This approach may not be only Zod OpenAPI function, but we can make it a more general feature in the hono core package.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yusukebe @askorupskyy @Rick-Phoenix