profile
viewpoint

savage-alex/api-oas-checker 0

An OpenAPI 3 checker based on spectral.

savage-alex/openapi 0

Early Availability for the OpenAPI v3 specification for DigitalOcean's public API.

savage-alex/spec 0

CloudEvents Specification

savage-alex/website 0

Website for the Inclusive Naming Initiative

issue commentapideck-libraries/portman

security - bearer token blank results in No Authorization header being sent

@thim81 it was seen from this portman config - see the variation tests for noToken portman-config.adv.json.txt The openAPI used is here: https://app.swaggerhub.com/apis/AdvancedComputerSoft/demo-advanced-car-inventory/1.1.2

This is the resulting variation tests in Postman. My assumption is that if the bearer token is blank in Postman that it will not send the header (from some manual testing) image

Thanks

thim81

comment created time in 4 days

pull request commentitalia/api-oas-checker

Fix: #453. Add basic httpbis checks.

@vlauciani, it looks like you seeing the same error with the same version of spectral as I.

ioggstream

comment created time in 7 days

Pull request review commentitalia/api-oas-checker

Fix: #453. Add basic httpbis checks.

+rules:+  http-request-GET-no-body:+    description: |-+      A `GET` request MUST NOT accept a `requestBody`+      because this behavior is not interoperable.+      Moreover intermediaries such as reverse proxies+      are allowed to strip the content from `GET` requests.++      See RFC7231 for further information.+    message: >-+      A GET request MUST NOT accept a requestBody: {{error}}.+    severity: error+    given: $.paths..get.requestBody+    then:+      function: undefined+  http-request-DELETE-no-body:+    description: |-+      Sending a `requestBody` in a `DELETE` request +      is not considered interoperable.+      Moreover intermediaries such as reverse proxies+      might strip the content from `DELETE` requests.++      See RFC7231 for further information.+    message: >-+      A DELETE request SHOULD NOT accept a requestBody: {{error}}.+    severity: warn+    given: $.paths..delete.requestBody+    then:+      function: undefined+  http-response-no-content-204-205: &response-content+    description: >-+      Responses with the following status codes usually+      expected to include a content,+      which might have zero length: 200, 201, 202, 203, 206.++      Responses with status code 204 and 205 MUST NOT include a content.++      See RFC7231 for further information.++    message: >-+      204 and 205 responses MUST NOT have a content: {{error}}.+    severity: error+    given: $.paths.[?( @property === '204' || @property === '205')]+    then:+      field: content+      function: falsy+  http-response-content-2xx:+    <<: *response-content+    message: >-+      200, 201, 202, 203 and 206 responses usually have a content: {{error}}.+    severity: hint+    given: "$.paths.[?( @property && @property.match(/(200|201|202|203|206)/) )]"

apart from getting an error (likely my setup) the rest of the rules here work great and are clear and concise

ioggstream

comment created time in 7 days

PullRequestReviewEvent

Pull request review commentitalia/api-oas-checker

Fix: #453. Add basic httpbis checks.

+rules:+  http-request-GET-no-body:+    description: |-+      A `GET` request MUST NOT accept a `requestBody`+      because this behavior is not interoperable.+      Moreover intermediaries such as reverse proxies+      are allowed to strip the content from `GET` requests.++      See RFC7231 for further information.+    message: >-+      A GET request MUST NOT accept a requestBody: {{error}}.+    severity: error+    given: $.paths..get.requestBody+    then:+      function: undefined+  http-request-DELETE-no-body:+    description: |-+      Sending a `requestBody` in a `DELETE` request +      is not considered interoperable.+      Moreover intermediaries such as reverse proxies+      might strip the content from `DELETE` requests.++      See RFC7231 for further information.+    message: >-+      A DELETE request SHOULD NOT accept a requestBody: {{error}}.+    severity: warn+    given: $.paths..delete.requestBody+    then:+      function: undefined+  http-response-no-content-204-205: &response-content+    description: >-+      Responses with the following status codes usually+      expected to include a content,+      which might have zero length: 200, 201, 202, 203, 206.++      Responses with status code 204 and 205 MUST NOT include a content.++      See RFC7231 for further information.++    message: >-+      204 and 205 responses MUST NOT have a content: {{error}}.+    severity: error+    given: $.paths.[?( @property === '204' || @property === '205')]+    then:+      field: content+      function: falsy+  http-response-content-2xx:+    <<: *response-content+    message: >-+      200, 201, 202, 203 and 206 responses usually have a content: {{error}}.+    severity: hint+    given: "$.paths.[?( @property && @property.match(/(200|201|202|203|206)/) )]"

I am receiving this error when trying to evaluate this function. (I am using vanilla spectral 5.9 so that may be why: image

I am using "$.paths.[?( @property === '200' || @property === '201' || @property === '202')]" currently to achieve this rule (albeit missing 203 and 206) if that helps?

ioggstream

comment created time in 7 days

PullRequestReviewEvent

startedthomasdarimont/awesome-keycloak

started time in 11 days

startedauth0/node-jsonwebtoken

started time in 15 days

startedNickHeap2/add-props-flipflop

started time in 16 days

issue closedapideck-libraries/portman

Integers with format of int32 & 64 given an error

Given the following openAPI (attached resolved json and native un-resolved yaml - had to rename them to .txt to allow for upload)

When the schema validation is enabled, the following response is seen in postman: image AdvancedComputerSoft-demo-advanced-car-inventory-1.1.2-swagger.yaml.txt AdvancedComputerSoft-demo-advanced-car-inventory-1.1.2-resolved.json.txt

API is here: https://app.swaggerhub.com/apis/AdvancedComputerSoft/demo-advanced-car-inventory/1.1.2

closed time in a month

savage-alex

issue commentapideck-libraries/portman

security - bearer token blank results in No Authorization header being sent

How does it look in the generated collection.json?

"method": "GET", "auth": { "type": "bearer", "oauth2": [], "bearer": [ { "type": "any", "value": "", "key": "token" } ] }

thim81

comment created time in a month

issue commentapideck-libraries/portman

security - bearer token blank results in No Authorization header being sent

I believe Postman may be the cause of this behaviour. If you leave the bearer token blank it doesnt send anything.

thim81

comment created time in a month

issue commentapideck-libraries/portman

Integers with format of int32 & 64 given an error

No error just something I noticed in the schema validation that looked suspect

savage-alex

comment created time in a month

issue openedapideck-libraries/portman

Integers with format of int32 & 64 given an error

Given the following openAPI (attached resolved json and native un-resolved yaml - had to rename them to .txt to allow for upload)

When the schema validation is enabled, the following response is seen in postman: image AdvancedComputerSoft-demo-advanced-car-inventory-1.1.2-swagger.yaml.txt AdvancedComputerSoft-demo-advanced-car-inventory-1.1.2-resolved.json.txt

created time in a month

issue closedapideck-libraries/portman

Security Tests: Expired tokens

User Story As an API tester I want to have a test that calls each API operation with expired access tokens (JWT only) So that any miss configured APIs can be found

Acceptance Criteria New configuration exists to enable feature New folder for path + (Expired Auth) exists when imported to Postman Calls are made with an expired token (perhaps as a variable) Response codes and schema validation match the 401 or 403 schemas

Inspired by tests here: https://www.postman.com/postman/workspace/postman-security-workspace

closed time in a month

savage-alex

issue commentapideck-libraries/portman

Security Tests: Expired tokens

Shall close as variation tests covers this

savage-alex

comment created time in a month

issue closedapideck-libraries/portman

Security tests: No auth

User Story As an API tester I want to have a test that calls each API operation with no security So that any miss configured APIs without security are found automatically

Acceptance Criteria

  • New configuration exists to enable feature
  • New folder for path + (No Authentication) exists when imported to Postman
  • Calls are made with authorization set to No Auth
  • Response codes and schema validation match the 401 or 403 schemas

closed time in a month

savage-alex

issue commentapideck-libraries/portman

Security tests: No auth

I had read the docs but failed to notice the examples here! I will setup some scenarios thanks!

savage-alex

comment created time in a month

issue openedapideck-libraries/portman

Security Tests: Expired tokens

User Story As an API tester I want to have a test that calls each API operation with expired access tokens (JWT only) So that any miss configured APIs can be found

Acceptance Criteria New configuration exists to enable feature New folder for path + (Expired Auth) exists when imported to Postman Calls are made with an expired token (perhaps as a variable) Response codes and schema validation match the 401 or 403 schemas

Inspired by tests here: https://www.postman.com/postman/workspace/postman-security-workspace

created time in a month

issue openedapideck-libraries/portman

Security tests: No auth

User Story As an API tester I want to have a test that calls each API operation with no security So that any miss configured APIs without security are found automatically

Acceptance Criteria

  • New configuration exists to enable feature
  • New folder for path + (No Authentication) exists when imported to Postman
  • Calls are made with authorization set to No Auth
  • Response codes and schema validation match the 401 or 403 schemas

created time in a month

issue openedstoplightio/spectral

Enable AdditionalProperties:false override

User story. As an API designer I want to ensure my examples are correctly spelled and typed for properties that are in my API definition So that any consumers of mocked endpoints do not get incorrect properties

Is your feature request related to a problem? Spectral can find examples that are bad when additionalProperties is set to false but its not something we want to do when we release API definitions as its stops evolution

Describe the solution you'd like A mode for spectral to lint the examples against the definition and to ensure no additionalProperties are present (expect it to be a additional mode)

Additional context Add any other context or screenshots about the feature request here.

created time in a month

issue commentapideck-libraries/portman

Contract test - additional properties

Please do.

thim81

comment created time in a month

issue commentapideck-libraries/portman

Contract test - additional properties

Ignore me. It was an actual additional property!! Works great

thim81

comment created time in a month

issue commentapideck-libraries/portman

Contract test - additional properties

hey I tested it by de-bugging the PR. I can see the additionalProperties is injected in postman just fine:
image What I cannot work out is why it is flagging a response as having additional properties when it matches the schema

thim81

comment created time in a month

issue commentapideck-libraries/portman

Contract test - additional properties

@thim81 I have tested it using the above setting and its not picking up additionalProperties I have included. Did you want a short call to discuss?

thim81

comment created time in a month

issue commentapideck-libraries/portman

Contract test - additional properties

@AliKhalili is our Portman Expert. I will review with him. thanks all!

thim81

comment created time in a month

startedmicrosoft/api-guidelines

started time in a month

startedNickHeap2/newman-reporter-openapi

started time in a month

startedNickHeap2/newman-reporter-openapi

started time in a month

startedstoplightio/prism

started time in a month

more