Skip to content

feat: drop all additional properties from responses#1030

Open
j-zimnowoda wants to merge 13 commits into
mainfrom
APL-1986
Open

feat: drop all additional properties from responses#1030
j-zimnowoda wants to merge 13 commits into
mainfrom
APL-1986

Conversation

@j-zimnowoda

@j-zimnowoda j-zimnowoda commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

This PR aims to strictly adhere to the OpenApi spec contract.
It validate the API responses, drops any additional content that is not defined in the schema and return HTTP 500 if the response is missing any required parameter.

/v1/settings responses are not validated because the schema and responses are not compatible at the moment. The v2/settings/<type> needs to be introduced.

@j-zimnowoda j-zimnowoda changed the title feat: redact all additional properties from responses feat: drop all additional properties from responses Jun 30, 2026
Comment thread src/app.ts
},
validateResponses: false, // Start with false, can enable later for debugging
validateResponses: {
removeAdditional: 'all', // Remove properties not defined in the schema from responses

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the most important change.

Comment thread src/openapi/api.yaml
- $ref: '#/components/schemas/aplMetadata'
AplAgentResponse:
type: object
allOf:

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the allOf does not work with combination of the validateResponses.removeAdditional express plugin

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enables response validation/sanitization so API responses conform strictly to the OpenAPI schema by stripping properties not defined in the schema, and adjusts OpenAPI definitions, handlers, and tests accordingly.

Changes:

  • Enable response validation with additional-property removal in express-openapi-validator.
  • Refactor multiple OpenAPI response schemas (replace allOf composition with explicit properties/required) to support property stripping.
  • Standardize several “no body” endpoints (notably DELETE/migrate operations) to return an empty 200 response and update authz tests/mocks to satisfy response validation.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/openapi/api.yaml Updates response shapes (e.g., dashboard response) and rewrites multiple *Response schemas to explicit properties/required for stricter response enforcement.
src/app.ts Turns on response validation/sanitization via express-openapi-validator.
src/api/v2/teams/{teamId}/workloads/{workloadName}.ts DELETE now ends 200 response without a JSON body.
src/api/v2/teams/{teamId}/services/{serviceName}.ts DELETE now ends 200 response without a JSON body.
src/api/v2/teams/{teamId}/sealedsecrets/{sealedSecretName}.ts DELETE now ends 200 response without a JSON body.
src/api/v2/teams/{teamId}/netpols/{netpolName}.ts DELETE now ends 200 response without a JSON body.
src/api/v2/teams/{teamId}/coderepos/{codeRepositoryName}.ts DELETE now ends 200 response without a JSON body.
src/api/v2/teams/{teamId}/builds/{buildName}.ts Makes build edit/patch handlers async/await and changes DELETE to end 200 without JSON body.
src/api/v2/teams/{teamId}.ts DELETE now ends 200 response without a JSON body.
src/api/v2/namespaces/{namespace}/sealedsecrets/{sealedSecretName}.ts DELETE now ends 200 response without a JSON body.
src/api/v2/git.ts Migration endpoint now ends 200 response without JSON body.
src/api/v2/cloudtty.ts DELETE now ends 200 response without a JSON body.
src/api/v2/catalogs/{catalogId}.ts DELETE now ends 200 response without a JSON body.
src/api/v1/users/{userId}.ts DELETE now ends 200 response without a JSON body.
src/api.authz.test.ts Updates mocks/expected return payloads to satisfy stricter response validation.
src/api-v2.authz.test.ts Adds richer mock resources (incl. status/metadata) to satisfy stricter response validation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/app.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants