Request Validation
Table Of Contents
Introduction
Tyk can protect any Gateway incoming request by validating the request parameters and payload against a schema provided for that path’s request body in the OAS API Definition.
The clever part is that in this schema you can reference another schema defined elsewhere in the API Definition; this lets you write complex validations very efficiently since you don’t need to re-define the validation for a particular object every time you wish to refer to it.
Note
At this time Tyk only supports local references to schema within the same API Definition, but in future we aim to support schemas defined externally (via URL).
How it works
Request Validation works on operations. To enable request validations for the parameters, you must declare at least one parameter on an Open API operation:
"/pet/{petId}": {
"get": {
"summary": "Find pet by ID",
"operationId": "getPetById",
"parameters": [
{
"name": "petId",
"in": "path",
"description": "ID of pet to return",
"required": true,
"schema": {
"type": "integer",
"format": "int64"
}
}
],
...
}
}
If there is at least one parameter, that parameter will enable validation of parameters.
To configure Request Validation, which will check the body of each API request sent to the endpoint, follow these simple steps:
- Define a schema for an
application/jsoncontent type in therequestBodysection of a path.
{
...
"paths":{
"/pet":{
"put":{
...
"requestBody":{
"description":"Update an existent pet in the store",
"content":{
"application/json":{
"schema":{
type: string
}
}
}
}
}
}
}
...
}
- Enable
validateRequestmiddleware within theoperationssection of the API definition, using the operationId to identify the specific endpoint for which validation is to be applied.
{
...
"paths":{
"/pet":{
"put":{
...
operationId: 'petput',
"requestBody":{
...
"content":{
"application/json":{
"schema":{
type: string
}
}
}
}
}
}
}
...
"x-tyk-api-gateway": {
...
"middleware": {
...
"operations": {
...
"petput": {
"validateRequest": {
"enabled": true
}
}
}
}
}
}
Using references to access shared schemas
You can define the validation schema directly within the requestBody of the path’s definition, or you can define it in the separate components.schemas section and include a relative reference within the requestBody. This allows you to re-use a schema across multiple paths.
//SCHEMA DEFINED WITHIN PATH DEFINITION
{
...
"paths":{
"/pet":{
"put":{
...
"requestBody":{
"description":"Update an existing pet in the store",
"content":{
"application/json":{
"schema":{
type: string
}
}
}
}
}
}
}
...
}
//SCHEMA DEFINED WITHIN COMPONENTS.SCHEMAS AND ACCESSED USING RELATIVE REFERENCE
{
...
"components": {
"schemas": {
"Pet": {
type: string
}
}
},
"paths":{
"/pet":{
"put":{
...
"requestBody":{
"description":"Update an existing pet in the store",
"content":{
"application/json":{
"schema":{
$ref: "#/components/Pet"
}
}
}
}
}
}
}
...
}
Automatically enable request validation
When importing an OAS API Definition or updating an existing Tyk OAS API
Definition, validateRequest middleware can be automatically configured
by Tyk for all the paths that have a schema configured, by passing
validateRequest=true as a query parameter for the IMPORT or PATCH request respectively.