Specify property that should never be sent in Swagger or OpenAPI

Question

I'd like to specify fields that should never be sent from an endpoint. For instance, say I want to make sure that no endpoint ever responds with user.passwordHash.

Is there something like the opposite of additionalProperties: false or required: true in OpenAPI?

Answer 1

OpenAPI 3.0 provides the writeOnly keyword exactly for this purpose:

Declares the property as "write only". Therefore, it MAY be sent as part of a request but SHOULD NOT be sent as part of the response.

So just mark the corresponding properties as writeOnly: true:

passwordHash:
  type: string
  writeOnly: true

There's also readOnly for the opposite scenario - properties that SHOULD NOT be sent in the request, but MAY be sent in the response. readOnly exists in both OpenAPI 3.0 and 2.0.

Answer 2

You could define the property as a string and set the max length to zero. There isn't anything that specifically says additionalProperties: true, except for passwordHash.

type: object
properties:
    passwordHash:
        type: string
        format: password
        maxLength: 0

Alternatively you could simply traverse the object prior to sending and remove the property you don't want. For example:

function removeProperty(property, value) {
  if (Array.isArray(value)) {
    return value.map(item => removeProperty(property, item))

  } else if (value && typeof value === 'object') {
    const result = {}
    Object.keys(value)
      .forEach(key => {
        if (key !== property) {
          result[key] = removeProperty(property, value[key])
        }
      })
    return result

  } else {
    return value
  }
}

const object = {
  x: {
    y: {
      z: 1,
      secret: 'password'
    }
  }
}

const clean = removeProperty('secret', object)
console.log(clean) // => { x: { y: { z: 1 } } }