Tyk open api validation

eugene · February 6, 2023, 12:26pm

Good day everyone,

In the Tyk Gateway 4.1 release a new feature has been added — OAS request validation.

if this feature is enabled, will Tyk do validation on each request? if yes, to which extent validation happens? Will Tyk validate the request method, path, required parameters, headers, field types with restrictions of a json request body, etc?

Best regards,
Eugene

Olu · February 9, 2023, 4:47pm

I haven’t tried, but I suspect it should only be for the body considering the docs is talking about payload validation.

@Andy_O Any ideas?

Andy_O · February 20, 2023, 5:06pm

Hi Eugene,

I’m sorry for the delay in replying - I was out of the office.

I confirm that in Tyk 4.1 we introduced the option to validate the body (payload) of requests made to OAS APIs, such that Tyk will check the request against the schema defined in the API.

In our upcoming Tyk 5.0 release we will be bringing validation of the header (parameters) to strengthen this capability.

The method and API endpoint (path) are also automatically validated by the Tyk gateway.

I hope this answers your question.

Kind regards,
Andy.

eugene · February 24, 2023, 12:21pm

Good day Andy,

Thank you for the response!

I was able to start Tyk 4.3.3 locally and confirm that request body validation works for json payload flawlessly. And request query parameter validation is not happening yet as you said.

You also mentioned that Tyk GW should validate the request path, but that is not what I observe at the local setup: In my OAS file there is a GET endpoint

    "paths": {
        "/job": {
            "get": {

This sample request works fine

curl --location --request GET 'http://localhost:8080/sample/job'

However, the request with a typo in the path

curl --location --request GET 'http://localhost:8080/sample/jooob'

also goes to the upstream service. Should it be catched on the Tyk GW layer without the upstream invocation? Am I missing something?

Best regards,
Eugene

Andy_O · February 24, 2023, 2:43pm

Hi Eugene,

Where you’ve provided a different endpoint that Tyk is unaware of, the gateway doesn’t automatically assume it knows everything about your upstream service and so will allow that to pass through (see Endpoint Designer).

If you want to restrict the caller to the specific endpoints that you’ve defined in your API, then you need to enable allowList middleware for each of those endpoints (see Endpoint Designer).

If you’ve imported your API to Tyk using the OAS Import function, then the allowList middleware should have been automatically configured - however if you’ve created it within the Tyk OAS API Designer then adding the allowList is left as a deliberate choice for you to make.

Please would you check and apply the allowList middleware to your valid endpoints and see if this then works as you expect?

Kind regards,
Andy.