Add ability to ignore validation on routes to avoid 404 status for undocumented routes

[supercoffee]

I have added this library to an existing express project, however, not all the existing endpoints are documented in my OAPI spec. In this scenario, all the existing endpoints which are not documented are flagged by the SecurityValidator as non-existent. Is there a way to allow undocumented routes to bypass this middleware?

My installation

  new OpenApiValidator({
    apiSpec: spec,
    validateRequests: true,
    // validateResponses: false
  }).install(app);

  app.use((err, req, res, next) => {
    // format error
    if (typeof err.toJSON !== 'undefined') {
      res.status(err.status || 500).json({
        message: err.message,
        errors: err.errors,
      });
      return;
    }
    next(err);
  });

Stack trace

Error: not found
    at Object.validationError (/usr/src/api/node_modules/express-openapi-validator/dist/middlewares/util.js:42:25)
    at /usr/src/api/node_modules/express-openapi-validator/dist/middlewares/openapi.security.js:16:32
    at Layer.handle [as handle_request] (/usr/src/api/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/usr/src/api/node_modules/express/lib/router/index.js:317:13)
    at /usr/src/api/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/usr/src/api/node_modules/express/lib/router/index.js:335:12)
    at next (/usr/src/api/node_modules/express/lib/router/index.js:275:10)
    at /usr/src/api/node_modules/express-openapi-validator/dist/middlewares/openapi.multipart.js:37:13
    at Layer.handle [as handle_request] (/usr/src/api/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/usr/src/api/node_modules/express/lib/router/index.js:317:13)
    at /usr/src/api/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/usr/src/api/node_modules/express/lib/router/index.js:335:12)
    at next (/usr/src/api/node_modules/express/lib/router/index.js:275:10)
    at /usr/src/api/node_modules/express-openapi-validator/dist/middlewares/openapi.metadata.js:20:10
    at Layer.handle [as handle_request] (/usr/src/api/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/usr/src/api/node_modules/express/lib/router/index.js:317:13)
    at /usr/src/api/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/usr/src/api/node_modules/express/lib/router/index.js:335:12)
    at next (/usr/src/api/node_modules/express/lib/router/index.js:275:10)
    at /usr/src/api/src/middleware/authorization.ts:53:9
    at Layer.handle [as handle_request] (/usr/src/api/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/usr/src/api/node_modules/express/lib/router/index.js:317:13)
    at /usr/src/api/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/usr/src/api/node_modules/express/lib/router/index.js:335:12)
    at next (/usr/src/api/node_modules/express/lib/router/index.js:275:10)
    at /usr/src/api/node_modules/express-jwt/lib/index.js:128:7
    at /usr/src/api/node_modules/async/lib/async.js:52:16

Based on my inspection of the code, the security middleware is installed if there are any security options present in the OAPI spec. It would be helpful if there were an option to bypass the installation of security middleware for undocumented routes.

[cdimascio]

currently, if a route resides beneath the base path, the validator requires it to be documented. if the route does not reside beneath the basepath all checks are ignored.

does the route you'd like to ignore reside beneath base path?

if so, perhaps we can consider providing an ignoreRoutes option. this option, for example, might take a regex value that's used to match routes. if a route matches, the validator skips validation.

[Aidenir]

@cdimascio Yes please do. We're trying to integrate this into our codebase, but don't have all our endpoints documented yet. Meaning we can't gradually introduce this but must do it all in one go, which we don't have the bandwidth for.

[supercoffee]

@cdimascio

does the route you'd like to ignore reside beneath base path?

Yes, that's the issue. The affected routes are children of the base path which I haven't documented yet. As @Aidenir mentioned, it would be nice to incrementally apply validation by documenting existing endpoints.

if so, perhaps we can consider providing an ignoreRoutes option. this option, for example, might take a regex value that's used to match routes. if a route matches, the validator skips validation.

I was thinking of a flag that would skip over undocumented routes, but the ignoreRoutes you mention is probably more flexible and useful for other purposes.

[cdimascio]

Will explore this

[cdimascio]

@supercoffee @Aidenir please give v2.18.0 a try. ignorePaths is available there