fix: tighten openapi-fetch excess property checks

Author: F3n67u

.changeset/tough-coins-listen.md

@@ -0,0 +1,5 @@
+---
+"openapi-fetch": patch
+---
+
+fix(openapi-fetch): reject excess request body and params properties 

packages/openapi-fetch/src/index.d.ts

@@ -129,6 +129,7 @@ export type RequestOptions<T> = ParamsOption<T> &
     pathSerializer?: PathSerializer;
     parseAs?: ParseAs;
     fetch?: ClientOptions["fetch"];
+    Request?: typeof Request;
     headers?: HeadersOptions;
     middleware?: Middleware[];
   };
@@ -195,6 +196,8 @@ export type MaybeOptionalInit<Params, Location extends keyof Params> =
     ? FetchOptions<FilterKeys<Params, Location>> | undefined
     : FetchOptions<FilterKeys<Params, Location>>;
 
+type InitWithParseAs<Init, P extends ParseAs | undefined> = Init & (P extends ParseAs ? { parseAs: P } : {});
+
 // The final init param to accept.
 // - Determines if the param is optional or not.
 // - Performs arbitrary [key: string] addition.
@@ -206,25 +209,25 @@ export type ClientMethod<
   Paths extends Record<string, Record<HttpMethod, {}>>,
   Method extends HttpMethod,
   Media extends MediaType,
-> = <Path extends PathsWithMethod<Paths, Method>, Init extends MaybeOptionalInit<Paths[Path], Method>>(
+> = <Path extends PathsWithMethod<Paths, Method>, P extends ParseAs | undefined = undefined>(
   url: Path,
-  ...init: InitParam<Init>
-) => Promise<FetchResponse<Paths[Path][Method], Init, Media>>;
+  ...init: InitParam<InitWithParseAs<MaybeOptionalInit<Paths[Path], Method>, P>>
+) => Promise<FetchResponse<Paths[Path][Method], InitWithParseAs<MaybeOptionalInit<Paths[Path], Method>, P>, Media>>;
 
 export type ClientRequestMethod<Paths extends Record<string, Record<HttpMethod, {}>>, Media extends MediaType> = <
   Method extends HttpMethod,
   Path extends PathsWithMethod<Paths, Method>,
-  Init extends MaybeOptionalInit<Paths[Path], Method>,
+  P extends ParseAs | undefined = undefined,
 >(
   method: Method,
   url: Path,
-  ...init: InitParam<Init>
-) => Promise<FetchResponse<Paths[Path][Method], Init, Media>>;
+  ...init: InitParam<InitWithParseAs<MaybeOptionalInit<Paths[Path], Method>, P>>
+) => Promise<FetchResponse<Paths[Path][Method], InitWithParseAs<MaybeOptionalInit<Paths[Path], Method>, P>, Media>>;
 
 export type ClientForPath<PathInfo extends Record<string | number, any>, Media extends MediaType> = {
-  [Method in keyof PathInfo as Uppercase<string & Method>]: <Init extends MaybeOptionalInit<PathInfo, Method>>(
-    ...init: InitParam<Init>
-  ) => Promise<FetchResponse<PathInfo[Method], Init, Media>>;
+  [Method in keyof PathInfo as Uppercase<string & Method>]: <P extends ParseAs | undefined = undefined>(
+    ...init: InitParam<InitWithParseAs<MaybeOptionalInit<PathInfo, Method>, P>>
+  ) => Promise<FetchResponse<PathInfo[Method], InitWithParseAs<MaybeOptionalInit<PathInfo, Method>, P>, Media>>;
 };
 
 export interface Client<Paths extends {}, Media extends MediaType = MediaType> {

packages/openapi-fetch/test/common/params.test-d.ts

@@ -0,0 +1,63 @@
+import { test } from "vitest";
+import createClient from "../../src/index.js";
+import type { paths } from "./schemas/common.js";
+
+test("GET rejects undefined query params", () => {
+  const client = createClient<paths>();
+
+  client.GET("/query-params", {
+    params: {
+      query: {
+        array: [],
+        // Regression test: extra query params should be rejected.
+        // @ts-expect-error
+        undefined_property: [],
+      },
+    },
+  });
+});
+
+test("client.request rejects undefined query params", () => {
+  const client = createClient<paths>();
+
+  client.request("get", "/query-params", {
+    params: {
+      query: {
+        array: [],
+        // Regression test: extra query params should be rejected via client.request().
+        // @ts-expect-error
+        undefined_property: [],
+      },
+    },
+  });
+});
+
+test("GET rejects undefined path params", () => {
+  const client = createClient<paths>();
+
+  client.GET("/resources/{id}", {
+    params: {
+      path: {
+        id: 123,
+        // Regression test: extra path params should be rejected.
+        // @ts-expect-error
+        undefined_property: 456,
+      },
+    },
+  });
+});
+
+test("client.request rejects undefined path params", () => {
+  const client = createClient<paths>();
+
+  client.request("get", "/resources/{id}", {
+    params: {
+      path: {
+        id: 123,
+        // Regression test: extra path params should be rejected via client.request().
+        // @ts-expect-error
+        undefined_property: 456,
+      },
+    },
+  });
+});

packages/openapi-fetch/test/common/schemas/common.d.ts

@@ -672,6 +672,8 @@ export interface paths {
                 number?: number;
                 boolean?: boolean;
                 array?: string[];
+                second_array?: string[];
+                third_array?: string[];
                 object?: {
                     foo: string;
                     bar: string;
@@ -688,6 +690,8 @@ export interface paths {
                     number?: number;
                     boolean?: boolean;
                     array?: string[];
+                    second_array?: string[];
+                    third_array?: string[];
                     object?: {
                         foo: string;
                         bar: string;

packages/openapi-fetch/test/common/schemas/common.yaml

@@ -392,6 +392,18 @@ paths:
           type: array
           items:
             type: string
+      - in: query
+        name: second_array
+        schema:
+          type: array
+          items:
+            type: string
+      - in: query
+        name: third_array
+        schema:
+          type: array
+          items:
+            type: string
       - in: query
         name: object
         schema:

packages/openapi-fetch/test/http-methods/post.test-d.ts

@@ -0,0 +1,18 @@
+import { test } from "vitest";
+import createClient from "../../src/index.js";
+import type { paths } from "./schemas/post.js";
+
+test("POST rejects undefined request body properties", () => {
+  const client = createClient<paths>();
+
+  client.POST("/posts", {
+    body: {
+      title: "My Post",
+      body: "Post body",
+      publish_date: new Date("2024-06-06T12:00:00Z").getTime(),
+      // Regression test for #1769: extra body fields must still error when required fields are present.
+      // @ts-expect-error
+      undefined_property: true,
+    },
+  });
+});

packages/openapi-fetch/test/http-methods/request.test-d.ts

@@ -0,0 +1,18 @@
+import { test } from "vitest";
+import createClient from "../../src/index.js";
+import type { paths } from "./schemas/post.js";
+
+test("client.request rejects undefined request body properties", () => {
+  const client = createClient<paths>();
+
+  client.request("post", "/posts", {
+    body: {
+      title: "My Post",
+      body: "Post body",
+      publish_date: new Date("2024-06-06T12:00:00Z").getTime(),
+      // Regression test for #1769 across client.request().
+      // @ts-expect-error
+      undefined_property: true,
+    },
+  });
+});

packages/openapi-fetch/test/path-based-client/path-based-client.test-d.ts

@@ -0,0 +1,18 @@
+import { test } from "vitest";
+import { createPathBasedClient } from "../../src/index.js";
+import type { paths } from "../http-methods/schemas/post.js";
+
+test("path-based client rejects undefined request body properties", () => {
+  const client = createPathBasedClient<paths>();
+
+  client["/posts"].POST({
+    body: {
+      title: "My Post",
+      body: "Post body",
+      publish_date: new Date("2024-06-06T12:00:00Z").getTime(),
+      // Regression test for #1769 across path-based clients.
+      // @ts-expect-error
+      undefined_property: true,
+    },
+  });
+});

packages/openapi-react-query/src/index.ts

@@ -207,7 +207,7 @@ export default function createClient<Paths extends {}, Media extends MediaType =
       return data ?? null;
     }
 
-    return data;
+    return data as any;
   };
 
   const queryOptions: QueryOptionsFunction<Paths, Media> = (method, path, ...[init, options]) => ({
@@ -251,7 +251,7 @@ export default function createClient<Paths extends {}, Media extends MediaType =
             if (error) {
               throw error;
             }
-            return data;
+            return data as any;
           },
           ...restOptions,
         },