feat: add path parameter validation using Zod schema

Akronae · Akronae · commit 84473e7fb7ac · 2025-10-04T12:24:08.000+02:00
diff --git a/src/lib/openapi-validation.interceptor.ts b/src/lib/openapi-validation.interceptor.ts
@@ -4,7 +4,9 @@ import {
   Injectable,
   NestInterceptor,
 } from '@nestjs/common';
+import { mapEntries } from 'radash';
 import { Observable, map } from 'rxjs';
+import z from 'zod';
 import { OpenApiValidator } from './openapi-validator';
 
 @Injectable()
@@ -15,22 +17,32 @@ export class OpenApiValidationInterceptor
   intercept(context: ExecutionContext, next: CallHandler): Observable<any> {
     const req = context.switchToHttp().getRequest();
     const res = context.switchToHttp().getResponse();
-    const url = req.url.split('?')[0];
+    const url = req.route.path.replace(/:([a-zA-Z0-9_]+)/g, '{$1}');
+    const endpoint = this.openapi.paths[url][req.method.toLowerCase()];
     const schema =
-      this.openapi.paths[url][req.method.toLowerCase()].responses[
-        res.statusCode ?? 200
-      ]?.content?.[
+      endpoint.responses[res.statusCode ?? 200]?.content?.[
         res.getHeader('content-type') ??
           req.headers['content-type'] ??
           'application/json'
       ]?.schema;
+    const dto: string = schema?.$ref?.split('/').pop();
 
-    const dtoName = schema?.$ref?.split('/').pop();
-    if (!dtoName) return next.handle();
+    const inPath = endpoint.parameters?.filter((p) => p.in === 'path');
+    if (inPath?.length) {
+      const zReqParams = z.object(
+        mapEntries(inPath, (_, v: any) => [
+          v.name,
+          this.openapiPropToZod({ required: v.required, ...v.schema }, {}),
+        ]),
+      );
+      req.params = this.validate(req.params, zReqParams, 'param');
+    }
+
+    if (!dto) return next.handle();
 
     return next.handle().pipe(
       map((data) => {
-        return this.validate(data, dtoName, 'response');
+        return this.validate(data, { dto }, 'response');
       }),
     );
   }
diff --git a/src/lib/openapi-validation.pipe.ts b/src/lib/openapi-validation.pipe.ts
@@ -7,15 +7,16 @@ export class OpenApiValidationPipe
   implements PipeTransform
 {
   transform(value: any, metadata: ArgumentMetadata) {
-    const dtoName = metadata.metatype?.name;
-    if (!dtoName || !this.schemata[dtoName]) return value;
+    const dto = metadata.metatype?.name;
 
-    if (!this.openapi.components?.schemas[dtoName]) {
+    if (!dto || !this.schemata[dto]) return value;
+
+    if (!this.openapi.components?.schemas[dto]) {
       throw new Error(
-        `${dtoName} is not registered in your OpenAPI document. Use \`@OpenApiRegister()\` on your DTO to register it. More info: https://github.com/Akronae/nestjs-openapi-validation?tab=readme-ov-file#registering-models.`,
+        `${dto} is not registered in your OpenAPI document. Use \`@OpenApiRegister()\` on your DTO to register it. More info: https://github.com/Akronae/nestjs-openapi-validation?tab=readme-ov-file#registering-models.`,
       );
     }
 
-    return this.validate(value, dtoName, metadata.type);
+    return this.validate(value, { dto }, metadata.type);
   }
 }
diff --git a/src/lib/openapi-validator.ts b/src/lib/openapi-validator.ts
@@ -2,7 +2,7 @@ import { BadRequestException, Paramtype } from '@nestjs/common';
 import { OpenAPIObject } from '@nestjs/swagger';
 import { SchemaObject } from '@nestjs/swagger/dist/interfaces/open-api-spec.interface';
 import { mapEntries } from 'radash';
-import z, { ZodType } from 'zod';
+import z, { ZodSchema, ZodType } from 'zod';
 
 type OpenApiProp = {
   type?: string;
@@ -51,8 +51,13 @@ export class OpenApiValidator {
     });
   }
 
-  validate(value: any, dtoName: string, type: Paramtype | 'response') {
-    const zodSchema = this.getZodSchema(dtoName);
+  validate(
+    value: any,
+    schema: { dto: string } | ZodSchema,
+    type: Paramtype | 'response',
+  ) {
+    const zodSchema =
+      schema instanceof ZodSchema ? schema : this.getZodSchema(schema.dto);
     const res = zodSchema.safeParse(value);
 
     if (!res.success) {
diff --git a/src/metadata.ts b/src/metadata.ts
@@ -4,5 +4,5 @@ export default async () => {
         ["./modules/app/app.dto"]: await import("./modules/app/app.dto"),
         ["./modules/users/users.dto"]: await import("./modules/users/users.dto")
     };
-    return { "@nestjs/swagger": { "models": [[import("./modules/app/app.dto"), { "Query1": { str1: { required: true, type: () => String }, str2: { required: false, type: () => String }, date: { required: true, type: () => Date }, nbr1: { required: true, type: () => Number }, nbr2: { required: false, type: () => Number } }, "Query2": { str1: { required: true, type: () => String }, nbr1: { required: true, type: () => Number }, enum1: { required: true, type: () => Object } }, "Query3": { enum1: { required: true, type: () => Object }, enum2: { required: true, type: () => Object } }, "Query4": { query1: { required: true, type: () => t["./modules/app/app.dto"].Query1 }, field2: { required: true, type: () => Object } }, "Query5": { query4: { required: true, type: () => t["./modules/app/app.dto"].Query4 }, force: { required: true, type: () => Boolean }, query1: { required: false, type: () => t["./modules/app/app.dto"].Query1 } }, "Query6": { arr: { required: true, type: () => [t["./modules/app/app.dto"].Query4] } }, "Query7": { str: { required: true, type: () => String }, nbr: { required: true, type: () => Number }, email: { required: true, type: () => String }, url: { required: true, type: () => String }, phone: { required: true, type: () => String } }, "Query8": { nested: { required: true, type: () => ({ long: { required: true, type: () => ({ prop: { required: true, type: () => Number } }) } }) } }, "Query9": { required: { required: true, type: () => ({ long: { required: true, type: () => ({ prop: { required: true, type: () => Number } }) }, opt: { required: false, type: () => ({ prop: { required: true, type: () => Number } }) }, semi: { required: false, type: () => ({ opt: { required: false, type: () => Number } }) } }) }, opt: { required: false, type: () => ({ long: { required: true, type: () => ({ prop: { required: true, type: () => Number } }) }, opt: { required: false, type: () => ({ prop: { required: true, type: () => Number } }) }, semi: { required: false, type: () => ({ opt: { required: false, type: () => Number } }) } }) } }, "Query10": { arr2d: { required: true, type: () => [[String]] }, arr2d2: { required: false, type: () => [[Number]] } } }], [import("./modules/users/users.dto"), { "UserQuery1": { name: { required: true, type: () => String }, age: { required: false, type: () => Number } }, "UserQuery2Options": { all: { required: true, type: () => String } }, "UserQuery2": { name: { required: true, type: () => String }, options: { required: false, type: () => t["./modules/users/users.dto"].UserQuery2Options } }, "UserQuery3": { a: { required: true, type: () => String }, b: { required: false, type: () => Number } }, "UserQuery4": { required: { required: true, type: () => String } } }]], "controllers": [[import("./modules/app/app.controller"), { "AppController": { "getStatus": {}, "getStatusV2": { type: String }, "getQuery1": { type: t["./modules/app/app.dto"].Query1 }, "getQuery2": { type: t["./modules/app/app.dto"].Query2 }, "getQuery3": { type: t["./modules/app/app.dto"].Query3 }, "getQuery4": { type: t["./modules/app/app.dto"].Query4 }, "getQuery5": { type: t["./modules/app/app.dto"].Query5 }, "getQuery6": { type: t["./modules/app/app.dto"].Query6 }, "getQuery7": { type: t["./modules/app/app.dto"].Query7 }, "getQuery8": { type: t["./modules/app/app.dto"].Query8 }, "getQuery9": { type: t["./modules/app/app.dto"].Query9 }, "getQuery10": { type: t["./modules/app/app.dto"].Query10 }, "getResponse1": { type: t["./modules/app/app.dto"].Query1 }, "getResponse2": { type: t["./modules/app/app.dto"].Query2 }, "getResponse3": { type: t["./modules/app/app.dto"].Query3 }, "getResponse4": { type: t["./modules/app/app.dto"].Query4 }, "getResponse5": { type: t["./modules/app/app.dto"].Query5 }, "getResponse6": { type: t["./modules/app/app.dto"].Query6 }, "getResponse7": { type: t["./modules/app/app.dto"].Query7 }, "getResponse8": { type: t["./modules/app/app.dto"].Query8 }, "getResponse9": { type: t["./modules/app/app.dto"].Query9 }, "getResponse10": { type: t["./modules/app/app.dto"].Query10 } } }], [import("./modules/users/users.controller"), { "UsersController": { "getQuery1": { type: t["./modules/users/users.dto"].UserQuery1 }, "getResponse1": { type: t["./modules/users/users.dto"].UserQuery1 }, "getQuery2": { type: t["./modules/users/users.dto"].UserQuery2 }, "getResponse2": { type: t["./modules/users/users.dto"].UserQuery2 }, "getQuery3": { type: String }, "getQuery4": { type: String } } }]] } };
+    return { "@nestjs/swagger": { "models": [[import("./modules/app/app.dto"), { "Query1": { str1: { required: true, type: () => String }, str2: { required: false, type: () => String }, date: { required: true, type: () => Date }, nbr1: { required: true, type: () => Number }, nbr2: { required: false, type: () => Number } }, "Query2": { str1: { required: true, type: () => String }, nbr1: { required: true, type: () => Number }, enum1: { required: true, type: () => Object } }, "Query3": { enum1: { required: true, type: () => Object }, enum2: { required: true, type: () => Object } }, "Query4": { query1: { required: true, type: () => t["./modules/app/app.dto"].Query1 }, field2: { required: true, type: () => Object } }, "Query5": { query4: { required: true, type: () => t["./modules/app/app.dto"].Query4 }, force: { required: true, type: () => Boolean }, query1: { required: false, type: () => t["./modules/app/app.dto"].Query1 } }, "Query6": { arr: { required: true, type: () => [t["./modules/app/app.dto"].Query4] } }, "Query7": { str: { required: true, type: () => String }, nbr: { required: true, type: () => Number }, email: { required: true, type: () => String }, url: { required: true, type: () => String }, phone: { required: true, type: () => String } }, "Query8": { nested: { required: true, type: () => ({ long: { required: true, type: () => ({ prop: { required: true, type: () => Number } }) } }) } }, "Query9": { required: { required: true, type: () => ({ long: { required: true, type: () => ({ prop: { required: true, type: () => Number } }) }, opt: { required: false, type: () => ({ prop: { required: true, type: () => Number } }) }, semi: { required: false, type: () => ({ opt: { required: false, type: () => Number } }) } }) }, opt: { required: false, type: () => ({ long: { required: true, type: () => ({ prop: { required: true, type: () => Number } }) }, opt: { required: false, type: () => ({ prop: { required: true, type: () => Number } }) }, semi: { required: false, type: () => ({ opt: { required: false, type: () => Number } }) } }) } }, "Query10": { arr2d: { required: true, type: () => [[String]] }, arr2d2: { required: false, type: () => [[Number]] } } }], [import("./modules/users/users.dto"), { "UserQuery1": { name: { required: true, type: () => String }, age: { required: false, type: () => Number } }, "UserQuery2Options": { all: { required: true, type: () => String } }, "UserQuery2": { name: { required: true, type: () => String }, options: { required: false, type: () => t["./modules/users/users.dto"].UserQuery2Options } }, "UserQuery3": { a: { required: true, type: () => String }, b: { required: false, type: () => Number } }, "UserQuery4": { required: { required: true, type: () => String } } }]], "controllers": [[import("./modules/app/app.controller"), { "AppController": { "getStatus": {}, "getStatusV2": { type: String }, "getQuery1": { type: t["./modules/app/app.dto"].Query1 }, "getQuery2": { type: t["./modules/app/app.dto"].Query2 }, "getQuery3": { type: t["./modules/app/app.dto"].Query3 }, "getQuery4": { type: t["./modules/app/app.dto"].Query4 }, "getQuery5": { type: t["./modules/app/app.dto"].Query5 }, "getQuery6": { type: t["./modules/app/app.dto"].Query6 }, "getQuery7": { type: t["./modules/app/app.dto"].Query7 }, "getQuery8": { type: t["./modules/app/app.dto"].Query8 }, "getQuery9": { type: t["./modules/app/app.dto"].Query9 }, "getQuery10": { type: t["./modules/app/app.dto"].Query10 }, "getResponse1": { type: t["./modules/app/app.dto"].Query1 }, "getResponse2": { type: t["./modules/app/app.dto"].Query2 }, "getResponse3": { type: t["./modules/app/app.dto"].Query3 }, "getResponse4": { type: t["./modules/app/app.dto"].Query4 }, "getResponse5": { type: t["./modules/app/app.dto"].Query5 }, "getResponse6": { type: t["./modules/app/app.dto"].Query6 }, "getResponse7": { type: t["./modules/app/app.dto"].Query7 }, "getResponse8": { type: t["./modules/app/app.dto"].Query8 }, "getResponse9": { type: t["./modules/app/app.dto"].Query9 }, "getResponse10": { type: t["./modules/app/app.dto"].Query10 } } }], [import("./modules/users/users.controller"), { "UsersController": { "getQuery1": { type: t["./modules/users/users.dto"].UserQuery1 }, "getResponse1": { type: t["./modules/users/users.dto"].UserQuery1 }, "getQuery2": { type: t["./modules/users/users.dto"].UserQuery2 }, "getResponse2": { type: t["./modules/users/users.dto"].UserQuery2 }, "getQuery3": { type: String }, "getQuery4": { type: String }, "getQuery5": {} } }]] } };
 };
diff --git a/src/modules/app/__snapshots__/app.module.spec.ts.snap b/src/modules/app/__snapshots__/app.module.spec.ts.snap
@@ -1964,6 +1964,44 @@ exports[`AppController (e2e) /users/query_4 success (GET) 1`] = `{}`;
 
 exports[`AppController (e2e) /users/query_4 success (GET) 2`] = `{}`;
 
+exports[`AppController (e2e) /users/query_5 fail (GET) 1`] = `
+{
+  "error": {
+    "param": {
+      "issues": [
+        {
+          "code": "invalid_type",
+          "expected": "number",
+          "message": "Expected number, received nan",
+          "path": [
+            "id",
+          ],
+          "received": "nan",
+        },
+      ],
+      "name": "ZodError",
+    },
+  },
+}
+`;
+
+exports[`AppController (e2e) /users/query_5 success (GET) 1`] = `
+{
+  "id": 453,
+  "lol": 1,
+  "required": "hello",
+}
+`;
+
+exports[`AppController (e2e) /users/query_5 success (GET) 2`] = `
+{
+  "id": 23,
+  "lol": 1,
+  "optional": "world",
+  "required": "hi",
+}
+`;
+
 exports[`AppController (e2e) /users/response_1 fail (GET) 1`] = `
 {
   "error": {
diff --git a/src/modules/app/app.module.spec.ts b/src/modules/app/app.module.spec.ts
@@ -885,4 +885,45 @@ describe('AppController (e2e)', () => {
     expect(res.status).toBe(200);
     expect(res.body).toMatchSnapshot();
   });
+
+  it('/users/query_5 fail (GET)', async () => {
+    const res = await request(app.getHttpServer())
+      .get('/v1/users/query_5/hi')
+      .query({
+        required: 'lala',
+      });
+    expect(res.status).toBe(400);
+    expect(res.body).toMatchSnapshot();
+  });
+
+  it('/users/query_5 success (GET)', async () => {
+    const res = await request(app.getHttpServer())
+      .get('/v1/users/query_5/453')
+      .query({
+        required: 'hello',
+      });
+    expect(res.status).toBe(200);
+    expect(res.body).toEqual({
+      required: 'hello',
+      id: 453,
+      lol: 1,
+    });
+    expect(res.body).toMatchSnapshot();
+  });
+  it('/users/query_5 success (GET)', async () => {
+    const res = await request(app.getHttpServer())
+      .get('/v1/users/query_5/00023')
+      .query({
+        required: 'hi',
+        optional: 'world',
+      });
+    expect(res.status).toBe(200);
+    expect(res.body).toEqual({
+      required: 'hi',
+      optional: 'world',
+      id: 23,
+      lol: 1,
+    });
+    expect(res.body).toMatchSnapshot();
+  });
 });
diff --git a/src/modules/users/users.controller.ts b/src/modules/users/users.controller.ts
@@ -1,4 +1,4 @@
-import { Body, Controller, Get, Post, Query } from '@nestjs/common';
+import { Body, Controller, Get, Param, Post, Query } from '@nestjs/common';
 import { UserQuery1, UserQuery2, UserQuery3, UserQuery4 } from './users.dto';
 
 @Controller({
@@ -33,4 +33,18 @@ export class UsersController {
   getQuery4(@Query() _query: UserQuery4) {
     return 'ok!';
   }
+
+  @Get('query_5/:id')
+  getQuery5(
+    @Param('id') id: number,
+    @Query('required') required: string,
+    @Query('optional') optional?: string,
+  ) {
+    return {
+      required,
+      optional,
+      id,
+      lol: 1,
+    };
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -7,15 +7,16 @@ export class OpenApiValidationPipe`
`7`	`7`	`implements PipeTransform`
`8`	`8`	`{`
`9`	`9`	`transform(value: any, metadata: ArgumentMetadata) {`
`10`		`- const dtoName = metadata.metatype?.name;`
`11`		`- if (!dtoName \|\| !this.schemata[dtoName]) return value;`
	`10`	`+ const dto = metadata.metatype?.name;`
`12`	`11`
`13`		`- if (!this.openapi.components?.schemas[dtoName]) {`
	`12`	`+ if (!dto \|\| !this.schemata[dto]) return value;`
	`13`	`+`
	`14`	`+ if (!this.openapi.components?.schemas[dto]) {`
`14`	`15`	`throw new Error(`
`15`		- `${dtoName} is not registered in your OpenAPI document. Use \`@OpenApiRegister()\` on your DTO to register it. More info: https://github.com/Akronae/nestjs-openapi-validation?tab=readme-ov-file#registering-models.`,
	`16`	+ `${dto} is not registered in your OpenAPI document. Use \`@OpenApiRegister()\` on your DTO to register it. More info: https://github.com/Akronae/nestjs-openapi-validation?tab=readme-ov-file#registering-models.`,
`16`	`17`	`);`
`17`	`18`	`}`
`18`	`19`
`19`		`- return this.validate(value, dtoName, metadata.type);`
	`20`	`+ return this.validate(value, { dto }, metadata.type);`
`20`	`21`	`}`
`21`	`22`	`}`