Reputation: 5570
I'd like to specify fields that should never be sent from an endpoint. For instance, say I want to make sure that no endpoint ever responds with user.passwordHash
.
Is there something like the opposite of additionalProperties: false
or required: true
in OpenAPI?
Upvotes: 2
Views: 672
Reputation: 98102
OpenAPI 3.0 provides the writeOnly
keyword exactly for this purpose:
Declares the property as "write only". Therefore, it MAY be sent as part of a request but SHOULD NOT be sent as part of the response.
So just mark the corresponding properties as writeOnly: true
:
passwordHash:
type: string
writeOnly: true
There's also readOnly
for the opposite scenario - properties that SHOULD NOT be sent in the request, but MAY be sent in the response. readOnly
exists in both OpenAPI 3.0 and 2.0.
Upvotes: 3
Reputation: 3239
You could define the property as a string and set the max length to zero. There isn't anything that specifically says additionalProperties: true, except for passwordHash
.
type: object
properties:
passwordHash:
type: string
format: password
maxLength: 0
Alternatively you could simply traverse the object prior to sending and remove the property you don't want. For example:
function removeProperty(property, value) {
if (Array.isArray(value)) {
return value.map(item => removeProperty(property, item))
} else if (value && typeof value === 'object') {
const result = {}
Object.keys(value)
.forEach(key => {
if (key !== property) {
result[key] = removeProperty(property, value[key])
}
})
return result
} else {
return value
}
}
const object = {
x: {
y: {
z: 1,
secret: 'password'
}
}
}
const clean = removeProperty('secret', object)
console.log(clean) // => { x: { y: { z: 1 } } }
Upvotes: 1