Documentation
¶
Overview ¶
Package schemavalidate provides transport-neutral JSON Schema validation for generated code at untrusted wire boundaries.
It loads a JSON Schema (draft 2020-12) from raw bytes, compiles it once at construction time, and validates payloads on every call. Validation errors are mapped to errcode.ErrValidationFailed. Error messages expose field names but never expose schema-internal details (lengths, ranges, patterns) to prevent oracle attacks.
Both transports embed and reuse this validator at their untrusted ingress:
- HTTP handlers (generated/contracts/http/**): validate the request body bytes before entering the cell (handler.tmpl).
- Async command dispatch (generated/contracts/command/**): validate the outbox entry payload bytes inside DispatchAsync before unmarshal+handle (command.tmpl, #1588). The sync in-process Dispatch deliberately does NOT validate — it is a first-party typed boundary (ADR 202606040550-1044 §D8).
HTTP response writing for a validation error is the caller's concern: generated HTTP handlers pass the returned *errcode.Error straight to httputil.WriteError (KindInvalid → 400); this package stays response-writer free so non-HTTP consumers (command dispatch) can reuse it without pulling in net/http.
ref: santhosh-tekuri/jsonschema/v6 (already in go.mod via contracttest) ref: deepmap/oapi-codegen security examples (request validation patterns)
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Validator ¶
type Validator interface {
// Validate validates body against the compiled schema.
// Returns nil on success. Returns *errcode.Error (code=ErrValidationFailed)
// on schema violation.
//
// Error shape: the offending field path is carried in the "detail"
// PublicDetail (oracle-safe — field name only, never the constraint value:
// lengths, ranges, regex patterns). The Message is a fixed const literal
// ("request body validation failed"). Because (*errcode.Error).Error() renders
// only [Code] + Message (+ Cause), NOT Details, a caller that logs err.Error()
// — e.g. the outbox relay storing last_error via SanitizeError — never leaks
// the field name. The field path reaches clients only via the wire-serialized
// details array (4xx), not server-side error strings.
//
// ctx is accepted for API stability and future cancellation/deadline support;
// the default implementation does not use it (validation is CPU-bound, in-memory).
Validate(ctx context.Context, body []byte) error
}
Validator validates a JSON payload against a compiled JSON Schema.
func NewValidator ¶
NewValidator compiles schemaJSON as a JSON Schema (draft 2020-12) and returns a Validator. The compilation cost is paid once at construction time; each call to Validate is schema-free.
Returns error if schemaJSON is not valid JSON or is not a compilable schema.