Because I just can't stop making OpenAPI libraries, I guess.
This is a library to help you generate OpenAPI 3.1-compliant (or 3.0.3 if you do a little work on your own) specs from your Fastify app. Others exist, but to my mind don't scratch the itch that the best OAS tooling does: making it faster and easier to create correct specs and valid API clients from those specs. Because of my own background in building OpenAPI libraries, and my growing appreciation for Fastify, I decided to take a crack at it.
This library presupposes that you use @sinclair/typebox to define the JSON schema used in your requests, and from that JSON Schema derives types. (Ergonomics for non-TypeScript users is specifically out-of-scope.) It will walk all your routes, determine your schema, and extract and deduplicate those schemas to present a relatively clean and easy-to-use OpenAPI document. It'll then also serve JSON and YAML versions of your specification, as well as host an interactive API explorer with try-it-out features courtesy of Rapidoc or Scalar.
Fair warning: This library is in Early Access(tm) and while the functionality that's here does work, there's some functionality that doesn't exist. The stuff that stands out to me personally can be found in TODO.md, including a short list of things this plugin won't do.
First, install it, etc. etc.:
npm install @eropple/fastify-openapi3
pnpm add @eropple/fastify-openapi3
yarn add @eropple/fastify-openapi3Once you've installed it--well, you'd best go do some things to set it up, huh? There's a manual test (originally added to smoke out issues with Rapidoc serving) in [examples/start-server.ts], which can also be directly invoked from the repository with npm run demo. Below are the important bits from that demo:
import Fastify, { FastifyInstance } from 'fastify';
import { Static, Type } from '@sinclair/typebox';
import OAS3Plugin, { OAS3PluginOptions, schemaType, oas3PluginAjv } from '../src/index.js';Your imports. (Obviously, in your project, the last import will be from "@eropple/fastify-openapi3".)
const fastifyOpts: FastifyServerOptions = {
logger: { level: 'error' },
ajv: {
plugins: [oas3PluginAjv],
}
}
const fastify = Fastify(fastifyOpts);
await fastify.register(OAS3Plugin, { ...pluginOpts });Register the OAS3 plugin. This plugin uses the Fastify logger and can be pretty chatty on debug, so bear that in mind. pluginOpts is visible in that file for an example, but it's also commented exhaustively for your IntellSensing pleasure while you're writing it.
const PingResponse = schemaType('PingResponse', Type.Object({ pong: Type.Boolean() }));
type PingResponse = Static<typeof PingResponse>;Your schema. schemaType takes a string as a name, which must be unique for your entire project, as well as a @sinclair/typebox Type (which you can then use as a TypeScript type by doing Static<typeof T>, it's awesome). This is now a TaggedSchema, which can be used anywhere a normal JSON Schema object can be used within Fastify and will handle validation as you would expect.
If you use a TaggedSchema within another schema, the OAS3 plugin is smart enough to extract it into its own OpenAPI #/components/schemas/YourTypeHere entry, so your generated clients will also only have the minimal set of model classes, etc. to worry about. Ditto having them in arrays and so on. I've tried to make this as simple to deal with as possible; if it acts in ways you don't expect, please file an issue.
And now let's make a route:
await fastify.register(async (fastify: FastifyInstance) => {
fastify.route<{ Reply: PingResponse }>({
url: '/ping',
method: 'GET',
schema: {
response: {
200: PingResponse,
},
},
oas: {
operationId: 'pingPingPingAndDefinitelyNotPong',
summary: "a ping to the server",
description: "This ping to the server lets you know that it has not been eaten by a grue.",
deprecated: false,
tags: ['meta'],
vendorPrefixedFields: {
"x-my-vendor-field": true,
},
},
handler: async (req, reply) => {
return { pong: true };
}
});
}, { prefix: '/api' });You don't have to put yours inside a prefixed route, but I like to, so, well, there you go.
If you do a npm run demo, you'll get a UI that looks like the following:
And there you go.
This plugin includes an autowired security system that automatically handles authentication based on your OpenAPI security schemes. Define your security schemes once, and the plugin will automatically validate credentials on routes that use them.
await fastify.register(OAS3Plugin, {
openapiInfo: { title: 'My API', version: '1.0.0' },
autowiredSecurity: {
securitySchemes: {
ApiKey: {
type: 'apiKey',
in: 'header',
name: 'X-Api-Key',
fn: (apiKey, request) => {
return apiKey === 'secret' ? { ok: true } : { ok: false, code: 401 };
},
},
BearerAuth: {
type: 'http',
scheme: 'bearer',
fn: (token, request) => {
// Validate JWT or other bearer token
return isValidToken(token) ? { ok: true } : { ok: false, code: 401 };
},
},
},
},
});
// Use security on routes
fastify.get('/protected', {
oas: {
security: { ApiKey: [] },
},
}, async (req, reply) => {
return { data: 'secret stuff' };
});Security handlers return { ok: true } for success, or { ok: false, code: 401 | 403 } for failure:
- Return
401(Unauthorized) when credentials are missing or invalid - Return
403(Forbidden) when credentials are valid but access is denied
OpenAPI supports combining security requirements:
// OR logic: either scheme can grant access
oas: {
security: [{ ApiKey: [] }, { BearerAuth: [] }],
}
// AND logic: both schemes must pass
oas: {
security: { ApiKey: [], BearerAuth: [] },
}By default, missing credentials return 401 immediately. Set passNullIfNoneProvided: true to receive null in your handler instead, allowing you to implement optional authentication:
securitySchemes: {
OptionalApiKey: {
type: 'apiKey',
in: 'header',
name: 'X-Api-Key',
passNullIfNoneProvided: true,
fn: (apiKey, request) => {
if (apiKey === null) {
// No key provided - allow anonymous access
return { ok: true };
}
// Key provided - validate it
return apiKey === 'secret' ? { ok: true } : { ok: false, code: 401 };
},
},
}Sometimes authentication decisions depend on the request body (e.g., request signing, body-based authorization). Set requiresParsedBody: true to receive the parsed body in your handler:
securitySchemes: {
BodyAwareAuth: {
type: 'apiKey',
in: 'header',
name: 'X-Api-Key',
requiresParsedBody: true,
fn: (apiKey, request, context) => {
// context.body contains the parsed request body
const body = context?.body as { resourceId?: string };
// Check if user has access to the requested resource
if (!userCanAccessResource(apiKey, body?.resourceId)) {
return { ok: false, code: 403 };
}
return { ok: true };
},
},
}When requiresParsedBody is not set or is false, the context parameter will be undefined.
For webhook signature validation or HMAC verification, you need access to the raw (unparsed) request body. Use the fastify-raw-body plugin alongside requiresParsedBody:
import fastifyRawBody from 'fastify-raw-body';
// Register fastify-raw-body BEFORE the OAS plugin
await fastify.register(fastifyRawBody, {
global: false, // Only on routes that need it
runFirst: true, // Get raw body before any transforms
});
await fastify.register(OAS3Plugin, {
// ... other options
autowiredSecurity: {
securitySchemes: {
WebhookSignature: {
type: 'apiKey',
in: 'header',
name: 'X-Signature',
requiresParsedBody: true,
fn: (signature, request, context) => {
// request.rawBody contains the raw string/buffer
const expectedSig = crypto
.createHmac('sha256', secret)
.update(request.rawBody as string)
.digest('hex');
if (signature !== expectedSig) {
return { ok: false, code: 401 };
}
return { ok: true };
},
},
},
},
});
// Enable rawBody on specific routes
fastify.post('/webhook', {
config: { rawBody: true },
oas: { security: { WebhookSignature: [] } },
}, handler);- API Key (
type: 'apiKey'): Validates keys from headers or cookies - HTTP Basic (
type: 'http', scheme: 'basic'): Validates username/password credentials - HTTP Bearer (
type: 'http', scheme: 'bearer'): Validates bearer tokens
Issues and PRs welcome! Constructive criticism on how to improve the library would be awesome, even as I use it in my own stuff and figure out where to go from there, too.
Before you start in on a PR, however, please do me a solid and drop an issue so we can discuss the approach. Thanks!