How to disallow unknown query parameter? #2511
Description
The operation object allows folks to specify parameters, but how can I express that no unnamed parameters may be accepted?
We've had issues where clients are passing in query parameters thinking that they're accepted when actually they are not.
How do folks feel about introducing something like additionalQueryParameters for parameters?
/foo:
get:
parameters:
limit:
in: query
offset:
in: query
additionalQueryParameters: false
...Then when folks do GET /foo?start=xxx-xxx-xxx they'll get an error instead of a silent failure.
Other links on the web:
- https://stackoverflow.com/questions/58187233/is-it-possible-to-disallow-unknown-query-parameters-in-an-openapi-v3-spec
- Rejecting unknown query parameters should be optional cdimascio/express-openapi-validator#133
- Should a server ignore unrecognized query parameters OR throw a 400? opengeospatial/ogcapi-features#128
- https://softwareengineering.stackexchange.com/a/311489
Metadata
Metadata
Assignees
Type
Projects
Relationships
Development
No branches or pull requests
Participants
Activity
savage-alex commentedon Mar 26, 2021
This is an excellent question!
Inside a schema the additionalProperties defaults to true as it (loosely in 3.0) based on JSON schema which will unless specified accept additional properties.
Re query params it is an interesting question and seems to vary per implementation. As these are explicitly defined and documented a client should be following the API definition to ensure the type, range, format etc of their request matches what the OAS definition aka "contract" prescribes. You would be well within your rights to return a 400 detailing the unsupported parameter in the same way you would report an out of range.
Where it gets a bit nuanced is interpretations of postels law on being conservative what you send and liberal in what you accept. Its not unusual to see APIs that would accept but disregard anything that is not in the definition silently and this is also acceptable.
Is it something you could cover in the descriptions and overall behaviour of your APIs stating your position and in your level of error verboseness?
hkosova commentedon Mar 26, 2021
Possibly related: #568
g-t-a-ogle commentedon Aug 12, 2021
This would be a very useful feature to have, as an added help to security. It also helps with the conditions mentioned above, especially where you would consider sending the wrong query variables concerning and you have a large number of paths.
MikeRalphson commentedon Aug 13, 2021
If we moved to representing all
in:queryparameters as an object described by a single JSON schema, then we would get this functionality 'for free' with the existingadditionalPropertieskeyword.nfroidure commentedon Aug 23, 2021
In my APIs I always default to disallow additional query parameters but I think it would be nice to have this option to explicitly say we do it.
I also made a proposal for the order of the query parameters here: #883
aagranovExtend commentedon Jan 26, 2022
This would be very useful. I was looking for this just now.
smikulcik commentedon Apr 22, 2022
So where does this put us today.
@savage-alex you make a good point about what we actually should and shouldn't document in our specifications.
Perhaps we should ask, "when would it be desirable to permit undocumented query parameters?" If we have no good use cases for it, maybe we should by default specify that implementations should reject unknown query parameters in general.
Virtual-felix commentedon Aug 16, 2022
Did someone found a workaround in the meantime that the feature might be integrated ?
Or there is no way to catch unknown query parameter as an error currently ?
mikekistler commentedon Apr 23, 2024
Reposting my comments from #3738 here for visibility:
I am wondering how this feature will be used in practice.
I don't think users of the API get any benefit from it. It does not "describe" any useful behavior of the API, unlike
additionalPropertieswhich can include a description that explains the meaning of additional properties. It specifies when the operation is required to fail but not when it actually will fail, since undefined query parameters can still cause failures whenundefinedQueryParametersistrue, the default. So users must be prepared for failures either way.I suppose this clarifies to implementers how they should treat undefined query parameters, but this assumes that the API description is written by someone other than the team that implements the API, which in my experience is rather rare.
I do understand that, from an API governance perspective, rejecting undefined query parameters is a best practice and failures to do so should be rooted out and corrected. But I don't think adding
undefinedQueryParametershelps much on this front -- and could actually hinder it, since it gives implementers an excuse for not following this best practice -- "Well, we didn't document that undefined query parameters must fail, so we don't need to fix our service".In short, I don't see much practical value in this new keyword and would not recommend it's use in any of the APIs I work with, but if others feel strongly that it is needed I wouldn't oppose it.
handrews commentedon Apr 23, 2024
I'll note that I've talked to several folks who specifically recommend allowing undefined query parameters due to 3rd-party entities appending them for various purposes (e.g. tracking). There was a brief discussion about it on the APIs You Won't Hate slack recently.
So that's a use case for allowing, and multiple people have spoken up here over the past two years saying that they would use the disallow.
I'm generally very skeptical of one person saying "I wouldn't use this" and making that an argument for not adding something. Particularly when multiple people over time have said they would use it. Why should someone's lack of interest in a feature invalidate the use cases of others? No one is forced ot use the keyword.
17 remaining items
mikekistler commentedon May 8, 2024
I'm going to bow out of this discussion now. I concede that there is value in having a "constraint system" for HTTP APIs and I'm fine to let OpenAPI be that as long as it does not impede using it for describing APIs, which is my primary use case.
handrews commentedon May 8, 2024
Just to close the loop for those that were not on this week's Moonwalk call, related to @mikekistler constraint system vs description comment:
I emphatically made the point that this is not an either-or thing. It is a context-specific both-and.
We have JSON Schema as a constraint system, for better or worse, and that's not changing in 3.x. However, it is only used for request/response bodies and query parameters. And this particular issue is only about URL query string parameters, which is an important distinction. In particular, this is not about header parameters.
Headers and response codes (and methods, although we restrict those far beyond what the HTTP spec allows) are defined as open-ended spaces. The RFCs require that implementations MUST allow unknown values, and specifies how to treat them. Constraining those spaces with a "no undefined values" would be objectively incorrect. This is because the API designer does not control what all parties might do with headers and status codes.
Request and response bodies, as well as URLs, are owned by the resource. It is entirely within the right of the resource to put whatever constraints they want on these things. Some users think that's a good thing to do, some users think that's a bad thing to do. We should not care. It has use cases and more demand (shown by the 7 or so people who have asked for it here) than many other features.
The RFCs grant full control of bodies and URLs to resource owners (who are, in this case, the API description authtors), and our spec should reflect that.
handrews commentedon May 8, 2024
At this point, I feel quite strongly that this should be solved, although possibly not the way I did in the PR I've posted.
@earth2marsh you've told me that you're more concerned with Moonwalk, and I agree that we should work out a philosophically consistent system there. But we have to deal with 3.x as it is, and so do users of the spec.
I've gone back through all of the objections and not a single one addresses the use cases brought up by the six different people who have argued in favor (four originally, plus @notEthan and @hudlow as well as one of the first four commenting recently):
Automated testing in particular is a core use case for the OAS. I don't think two people saying "I don't see the use of this" should overrule at least six people who have explained exactly how they would use it. If folks want to explain why those use cases are invalid (which is not the same as "I wouldn't do that"), then let's discuss that. Otherwise, we have a clear demand and clear use cases, so we should support it.
That said, I'm not sure
allowUndefinedQueryParametersas proposed in PR #3738 is the way to go. I am now leaning towards just supporting issue #1502, which would give total parity with howapplication/x-www-form-urlencodedrequest bodies are handled. That would solve this issue, and several others (e.g. #2347, #2298 and possibly more).It would also be impossible to complain about added complexity, because tools already have to support the exact same thing for request bodies.
earth2marsh commentedon May 8, 2024
There's a lot I agree with in your post, Henry, but there is still one thing that concerns me. We identified a principle of supporting mechanical upgrades for Moonwalk, so if we continue down this path, mightn't we violate that? (Or else perhaps it means providing some affordance for a constraint system on top of the descriptive/open-world layer?)
handrews commentedon May 8, 2024
@earth2marsh that's a good question, but if we take my solution of implementing #1502, the only thing we are "adding" is an exact analogue of what we already support for request bodies. It's the exact same syntax, and the exact same process, you just put it in the query string instead of in a single-line request body.
So how could that make Moonwalk upgrades any more difficult? That is not a rhetorical question, I just don't see where there would be a problem that doesn't already exist. The upgrade for describing
application/x-ww-form-urlencodedshould be the same no matter where it goes. In fact, Moonwalk should be an opportunity to make that more consistent, both philosophically and syntactically.handrews commentedon May 8, 2024
Actually, I'm pretty sure it makes upgrades easier, because you can already do @karenetheridge 's trick in many situations, so we'd have to upgrade that already. But we can migrate that trick to the #1502 solution, which then reduces it to a problem we have to solve anyway (
form-urlencodedfor request bodies). So it actually provides us with a smoother migration path. That's another reason to use the #1502 solution instead of theallowUnknownQueryStringParamsboolean (which I'm increasingly against).handrews commentedon May 9, 2024
In today's TDC call, we decided to consider a proposal for #1502, which would solve this without adding new fields. @earth2marsh keep an eye out for the proposal and we can continue the discussion there - I have already closed the PR I opened specifically for this issue.
in: "querystring"parameter location treating the entire query string as one chunk of content #4590