Validate json content in multipart/form-data request body

[emaincourt]

Hi,

I've been trying to add an OpenAPI schema validation using the oapi-codegen validator which actually relies on your openapi3filter package and can't actually figure out how to make the validation pass when sending application/json content as part of a multipart/form-data body. I'm pretty new to kin-openapi and the whole OAPI3 ecosystem so I might be doing something wrong here. Please find below a reproducible failing example of what I'm trying to achieve:

package main

import (
	"bytes"
	"context"
	"fmt"
	"io"
	"mime/multipart"
	"net/http"
	"net/textproto"
	"strings"

	"github.com/getkin/kin-openapi/openapi3"
	"github.com/getkin/kin-openapi/openapi3filter"
	"github.com/getkin/kin-openapi/routers/gorillamux"
)

const testSchema = `
openapi: 3.0.0
info:
  title: 'Validator'
  version: 0.0.1
paths:
  /test:
    post:
      requestBody:
        required: true
        content:
          multipart/form-data:
            schema:
              type: object
              required:
                - file
              properties:
                file:
                  type: string
                  format: binary
                categories:
                  type: array
                  items:
                    $ref: "#/components/schemas/Category"
      responses:
        '200':
          description: Created

components:
  schemas:
    Category:
      type: object
      properties:
        name:
          type: string
      required:
        - name
`

func main() {
	swagger, err := openapi3.NewLoader().LoadFromData([]byte(testSchema))
	if err != nil {
		panic(err)
	}
	if err := swagger.Validate(context.Background()); err != nil {
		panic(err)
	}

	router, err := gorillamux.NewRouter(swagger)
	if err != nil {
		panic(err)
	}

	body := &bytes.Buffer{}
	writer := multipart.NewWriter(body)

	h := make(textproto.MIMEHeader)
	h.Set("Content-Disposition", fmt.Sprintf(`form-data; name="%s"`, "categories"))
	h.Set("Content-Type", "application/json")
	fw, err := writer.CreatePart(h)
	if err != nil {
		panic(err)
	}
	_, err = io.Copy(fw, strings.NewReader(`[{"name": "foo"}]`))
	if err != nil {
		panic(err)
	}

	fw, err = writer.CreateFormFile("file", "hello.txt")
	if err != nil {
		panic(err)
	}
	_, err = io.Copy(fw, strings.NewReader("hello"))
	if err != nil {
		panic(err)
	}

	writer.Close()

	req, _ := http.NewRequest(http.MethodPost, "/test", bytes.NewReader(body.Bytes()))
	req.Header.Set("Content-Type", writer.FormDataContentType())

	route, pathParams, _ := router.FindRoute(req)

	reqBody := route.Operation.RequestBody.Value

	requestValidationInput := &openapi3filter.RequestValidationInput{
		Request:    req,
		PathParams: pathParams,
		Route:      route,
	}

	err = openapi3filter.ValidateRequestBody(context.TODO(), requestValidationInput, reqBody)
	if err == nil {
		fmt.Println("Valid")
	} else {
		fmt.Printf("NOT valid. %s\n", err)
	}
}

When running this snippet, validation fails. Also if I remove the categories field, the validation passes.

Does the specification and the test scenario look correct ?

Thanks in advance

[fenollp]

Hi! Thanks for the clear and complete issue!
I am not knowledgeable on multipart form-data that uses name yet and am short on time so all I can do right now is point you to the relevant part of the test suite: https://github.com/getkin/kin-openapi/blob/4cb78ee220815dd565d2ea6910fcd89d2895c009/openapi3filter/req_resp_decoder_test.go

Please report your findings here & I'll turn your issue as an example for the docs.
Thanks again

[emaincourt]

Hi @fenollp. Thanks for your answer. I just created a PR on my fork of kin-openapi to demonstrate the behavior. I basically added 2 cases but they are both the same. One uses a []struct{} whereas the other one uses a []map[string]interface{}. You can find the PR here.

To make my findings more explicit I replaced reflect.DeepEqual with assert.DeepEqual from gotest.tools/assert so we can get the difference between the expected and the actual values.

For my test case, I used a very basic []map[string]interface{} which matches my initial issue: []map[string]interface{}{{"d1": "d1"}}.

Please find below the full form payload:

jsonSlice, err := json.Marshal([]map[string]interface{}{{"d1": "d1"}})
require.NoError(t, err)
multipartFormWithJSONSlice, multipartFormWithJSONSliceMime, err := newTestMultipartForm([]*testFormPart{
	{name: "a", contentType: "text/plain", data: strings.NewReader("a1")},
	{name: "b", contentType: "application/json", data: strings.NewReader("10")},
	{name: "c", contentType: "text/plain", data: strings.NewReader("c1")},
	{name: "c", contentType: "text/plain", data: strings.NewReader("c2")},
	{name: "d", contentType: "application/json", data: bytes.NewReader(jsonSlice)},
	{name: "f", contentType: "application/octet-stream", data: strings.NewReader("foo"), filename: "f1"},
	{name: "g", data: strings.NewReader("g1")},
})

When running the test, we get the following output:

--- FAIL: TestDecodeBody (0.01s)
    --- FAIL: TestDecodeBody/multipart#01 (0.00s)
        /Users/elliotmaincourt/github.com/kin-openapi/openapi3filter/req_resp_decoder_test.go:1223: assertion failed: 
            --- tc.want
            +++ got
              map[string]interface{}{
              	"a": string("a1"),
              	"b": float64(10),
              	"c": []interface{}{string("c1"), string("c2")},
            - 	"d": []map[string]interface{}{{"d1": string("d1")}},
            + 	"d": []interface{}{map[string]interface{}{"d1": string("d1")}},
              	"f": string("foo"),
              	"g": string("g1"),
              }

As you can see, it seems that the type of the initial slice was somehow mutated. Basically []interface{}{map[string]interface{}{"d1": string("d1")}} instead our initial []map[string]interface{}{{"d1": string("d1")}}.

What do you think ? I'm not actually even sure that this behaviour is of any help for my problem.

Thanks in advance

[emaincourt]

Actually after digging a little bit more I figured that if I replace those lines with the following the validation passes:

if prop.Value.Type == "array" {
	obj[name] = vv[0]
} else {
	obj[name] = vv[0]
}

So actually there seem to be no issue at all. I am probably just doing things wrong. In case of an array, the validator expects a part per item to be declared. So basically if I edit my first example and declare two categories parts in my form, each with a single json value, the validation passes. Please find below the example.

package main

import (
	"bytes"
	"context"
	"fmt"
	"io"
	"mime/multipart"
	"net/http"
	"net/textproto"
	"strings"

	"github.com/getkin/kin-openapi/openapi3"
	"github.com/getkin/kin-openapi/openapi3filter"
	"github.com/getkin/kin-openapi/routers/gorillamux"
)

const testSchema = `
openapi: 3.0.0
info:
  title: 'Validator'
  version: 0.0.1
paths:
  /test:
    post:
      requestBody:
        required: true
        content:
          multipart/form-data:
            schema:
              type: object
              required:
                - file
              properties:
                file:
                  type: string
                  format: binary
                categories:
                  type: array
                  items:
                    $ref: "#/components/schemas/Category"
      responses:
        '200':
          description: Created

components:
  schemas:
    Category:
      type: object
      properties:
        name:
          type: string
      required:
        - name
`

func main() {
	swagger, err := openapi3.NewLoader().LoadFromData([]byte(testSchema))
	if err != nil {
		panic(err)
	}
	if err := swagger.Validate(context.Background()); err != nil {
		panic(err)
	}

	router, err := gorillamux.NewRouter(swagger)
	if err != nil {
		panic(err)
	}

	body := &bytes.Buffer{}
	writer := multipart.NewWriter(body)

	h := make(textproto.MIMEHeader)
	h.Set("Content-Disposition", fmt.Sprintf(`form-data; name="%s"`, "categories"))
	h.Set("Content-Type", "application/json")
	fw, err := writer.CreatePart(h)
	if err != nil {
		panic(err)
	}
	_, err = io.Copy(fw, strings.NewReader(`{"name": "foo"}`))
	if err != nil {
		panic(err)
	}

	h = make(textproto.MIMEHeader)
	h.Set("Content-Disposition", fmt.Sprintf(`form-data; name="%s"`, "categories"))
	h.Set("Content-Type", "application/json")
	fw, err = writer.CreatePart(h)
	if err != nil {
		panic(err)
	}
	_, err = io.Copy(fw, strings.NewReader(`{"name": "bar"}`))
	if err != nil {
		panic(err)
	}

	fw, err = writer.CreateFormFile("file", "hello.txt")
	if err != nil {
		panic(err)
	}
	_, err = io.Copy(fw, strings.NewReader("hello"))
	if err != nil {
		panic(err)
	}

	writer.Close()

	req, _ := http.NewRequest(http.MethodPost, "/test", bytes.NewReader(body.Bytes()))
	req.Header.Set("Content-Type", writer.FormDataContentType())

	route, pathParams, _ := router.FindRoute(req)

	reqBody := route.Operation.RequestBody.Value

	requestValidationInput := &openapi3filter.RequestValidationInput{
		Request:    req,
		PathParams: pathParams,
		Route:      route,
	}

	err = openapi3filter.ValidateRequestBody(context.TODO(), requestValidationInput, reqBody)
	if err == nil {
		fmt.Println("Valid")
	} else {
		fmt.Printf("NOT valid. %s\n", err)
	}
}

I'm really sorry for that, the issue can be closed. Thank you once again for your time.