andrewwalsh / openapi-devtools Goto Github PK

https://www.amazon.com/Queen-Size-Sheet-Set-Breathable/dp/B01M16WBW1?ref=dlx_deals_dg_dcl_B01M16WBW1_mw_sl14_d0

openapi-devtools-spec.json

no useful info

It would be awesome to have this in Firefox as well :-)

Awesome work! I have one feature request though - could it record auth headers/tokens? This would be super useful for logging which requests require authorization and how to send an authorized request

Hello, I was navigating through dndbeyond.com to record API requests and there are many structural errors when importing the resulting JSON into Swagger Editor similar to below:

Structural error at paths./font_picker.post.requestBody.content.application/json.schema.properties.organization_id.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string

This particular request looks like:

curl 'https://echidna.wirewax.com/font_picker' \
  -H 'accept: */*' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -H 'origin: https://player.vimeo.com' \
  -H 'pragma: no-cache' \
  -H 'referer: https://player.vimeo.com/' \
  -H 'sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: cross-site' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36' \
  --data-raw '{"environment":"player","organization_id":null}'

The resulting OpenAPI request body looks like:

requestBody:
       content:
         application/json:
           schema:
             type: object
             properties:
               environment:
                 type: string
               organization_id:
                 type: 'null'
             required:
               - environment
               - organization_id

As you can see null is not the same as 'null'. When submitting a value of null it's probably not possible to determine what the type signature should be. But rather than a string of 'null' it should probably just be an empty string to or one of the other allowed values to adhere to the spec.

Hey hey. Thanks for this amazing extension! On first sight it works very well. Only when I click on a path parameter it merges too much of path into one. Example:

/api/v2/faq_entries/340/feedback
/api/v2/faq_entries/340/recommended_faqs
/api/v2/faq_entries/340/related_faqs

clicking on 340 results in:

/api/v2/faq_entries/:param3/feedback

Although I'd expect:

/api/v2/faq_entries/:param3/feedback
/api/v2/faq_entries/:param3/recommended_faqs
/api/v2/faq_entries/:param3/related_faqs

Any idea what's the issue here? Thanks a lot!

btw. why param3 and not starting at least at param1? :)

Hi,
Really cool idea! Hope I can make it working :)

On Firefox 115.11.0esr, the tool shows "can't read and change data on this site".
Clicking the cog gear takes me to the addons dialog, but I there's no preferences tab to enable it for my site.

Suggested improvement to the ReadMe: add a paragraph explaining what an OpenAI specification is. I just read this:

https://swagger.io/specification/

...and I'm not quite sure yet what it is or where it is used.

I've used OpenAI a lot through its UI but not via code yet. :)

It would be helpful to see what some possible values would be for each key in a JSON API instead of only the type of the value.

Currently, closing the browser results in a loss of the generated OpenAPI specification data. To enhance usability and continuity, could we consider the following features?

1. Implementing a session save feature that allows users to pause and resume their recording sessions at a later time.

2. Providing an option to upload a JSON file of a previously downloaded OpenAPI specification, enabling users to continue recording from where they left off.

I left ideas in HN comments but leaving them here for posterity:

1. Ability to filter response properties.
2. Ability to work with non-JSON (web scraping) by defining a mapping of CSS selectors to response properties.
3. Cross-reference host names of captured requests with publicly documented APIs.
4. If auth headers are found, prompt the user for credentials that can then be stored locally.
5. "Repeater" functionality similar to the feature found in Burp Suite.
6. Generate clients on the fly based on the generated OpenAPI spec.
7. Train a machine learning model to recognize and extract tabular and repeated data based on training data.
8. Optionally publish generated OpenAPI specs to a central site or open PR to a GH repo, "awesome-openapi-devtools"?
9. Look for embedded data similar to what https://github.com/BishopFox/jsluice extracts and offer it as endpoints.

For some of these features, it may make sense to incorporate a server-side component. For example, sending captured data to be trained (7) or cross-referencing with existing documented APIs based on the host names (3).

Excellent tool, congrats for hn # 1!

Would it be possible to opt-in always running the extension on the background, so that you don't need to worry about profiling a specific website, and just passively collect all API's you've accessed?

Might be relevant when you've lost access to a front (or if the front gets taken down) and you'd like to directly communicate with the API.

On Windows 11 running Chrome Version 119.0.6045.106 (Official Build) (64-bit)

This could be a misunderstanding on my part but my assumption is that post install, it would show either in this list.

or in this list

If there is something more to do in order to get it to show up it might be worth putting in the readme.