feat: drop all additional properties from responses#1030
Open
j-zimnowoda wants to merge 13 commits into
Open
Conversation
j-zimnowoda
commented
Jun 30, 2026
| }, | ||
| validateResponses: false, // Start with false, can enable later for debugging | ||
| validateResponses: { | ||
| removeAdditional: 'all', // Remove properties not defined in the schema from responses |
Contributor
Author
There was a problem hiding this comment.
This is the most important change.
j-zimnowoda
commented
Jun 30, 2026
| - $ref: '#/components/schemas/aplMetadata' | ||
| AplAgentResponse: | ||
| type: object | ||
| allOf: |
Contributor
Author
There was a problem hiding this comment.
the allOf does not work with combination of the validateResponses.removeAdditional express plugin
Contributor
There was a problem hiding this comment.
Pull request overview
This PR enables response validation/sanitization so API responses conform strictly to the OpenAPI schema by stripping properties not defined in the schema, and adjusts OpenAPI definitions, handlers, and tests accordingly.
Changes:
- Enable response validation with additional-property removal in
express-openapi-validator. - Refactor multiple OpenAPI response schemas (replace
allOfcomposition with explicitproperties/required) to support property stripping. - Standardize several “no body” endpoints (notably DELETE/migrate operations) to return an empty 200 response and update authz tests/mocks to satisfy response validation.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/openapi/api.yaml | Updates response shapes (e.g., dashboard response) and rewrites multiple *Response schemas to explicit properties/required for stricter response enforcement. |
| src/app.ts | Turns on response validation/sanitization via express-openapi-validator. |
| src/api/v2/teams/{teamId}/workloads/{workloadName}.ts | DELETE now ends 200 response without a JSON body. |
| src/api/v2/teams/{teamId}/services/{serviceName}.ts | DELETE now ends 200 response without a JSON body. |
| src/api/v2/teams/{teamId}/sealedsecrets/{sealedSecretName}.ts | DELETE now ends 200 response without a JSON body. |
| src/api/v2/teams/{teamId}/netpols/{netpolName}.ts | DELETE now ends 200 response without a JSON body. |
| src/api/v2/teams/{teamId}/coderepos/{codeRepositoryName}.ts | DELETE now ends 200 response without a JSON body. |
| src/api/v2/teams/{teamId}/builds/{buildName}.ts | Makes build edit/patch handlers async/await and changes DELETE to end 200 without JSON body. |
| src/api/v2/teams/{teamId}.ts | DELETE now ends 200 response without a JSON body. |
| src/api/v2/namespaces/{namespace}/sealedsecrets/{sealedSecretName}.ts | DELETE now ends 200 response without a JSON body. |
| src/api/v2/git.ts | Migration endpoint now ends 200 response without JSON body. |
| src/api/v2/cloudtty.ts | DELETE now ends 200 response without a JSON body. |
| src/api/v2/catalogs/{catalogId}.ts | DELETE now ends 200 response without a JSON body. |
| src/api/v1/users/{userId}.ts | DELETE now ends 200 response without a JSON body. |
| src/api.authz.test.ts | Updates mocks/expected return payloads to satisfy stricter response validation. |
| src/api-v2.authz.test.ts | Adds richer mock resources (incl. status/metadata) to satisfy stricter response validation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR aims to strictly adhere to the OpenApi spec contract.
It validate the API responses, drops any additional content that is not defined in the schema and return HTTP 500 if the response is missing any required parameter.
/v1/settingsresponses are not validated because the schema and responses are not compatible at the moment. Thev2/settings/<type>needs to be introduced.