feat(spectral): add rule enforcing Problem Details error responses for 400,401,403,404,500

andreyyudin · andreyyudin · commit 12cd39a10769 · 2025-05-19T15:40:42.000+01:00
diff --git a/example/example.1.0.0.oas.yml b/example/example.1.0.0.oas.yml
@@ -33,6 +33,16 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/ApiInfo'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '403':
+          $ref: '#/components/responses/Forbidden'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '500':
+          $ref: '#/components/responses/UnexpectedError'
         default:
           $ref: '#/components/responses/UnexpectedError'
 
@@ -78,6 +88,16 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/ResultsResponse'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '403':
+          $ref: '#/components/responses/Forbidden'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '500':
+          $ref: '#/components/responses/UnexpectedError'
         default:
           $ref: '#/components/responses/UnexpectedError'
     post:
@@ -120,6 +140,14 @@ paths:
                 $ref: '#/components/schemas/ResultResponse'
         '400':
           $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '403':
+          $ref: '#/components/responses/Forbidden'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '500':
+          $ref: '#/components/responses/UnexpectedError'
         default:
           $ref: '#/components/responses/UnexpectedError'
   /results/{resultId}:
@@ -145,8 +173,16 @@ paths:
               schema:
                 $ref: '#/components/schemas/ResultResponse'
           description: This response returns a JSON object containing the test result data.
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '403':
+          $ref: '#/components/responses/Forbidden'
         '404':
           $ref: '#/components/responses/NotFound'
+        '500':
+          $ref: '#/components/responses/UnexpectedError'
         default:
           $ref: '#/components/responses/UnexpectedError'
 
@@ -448,6 +484,24 @@ components:
               $ref: '#/components/examples/validation-error'
             validation-errors:
               $ref: '#/components/examples/validation-errors'
+    Unauthorized:
+      description: The request is not authenticated.
+      content:
+        application/problem+json:
+          schema:
+            $ref: '#/components/schemas/ProblemDetails'
+          examples:
+            unauthorized:
+              $ref: '#/components/examples/unauthorized'
+    Forbidden:
+      description: The request is authenticated but the user is not authorized.
+      content:
+        application/problem+json:
+          schema:
+            $ref: '#/components/schemas/ProblemDetails'
+          examples:
+            forbidden:
+              $ref: '#/components/examples/forbidden'
     NotFound:
       description: The requested resource was not found.
       content:
diff --git a/functions/has-required-problem-details-error-responses.js b/functions/has-required-problem-details-error-responses.js
@@ -0,0 +1,100 @@
+'use strict';
+
+/*
+Common Error Response Requirements (RFC 9457):
+
+Every operation MUST include:
+  - 400 Bad Request
+  - 404 Not Found
+  - 500 Internal Server Error
+    → MUST use `application/problem+json`
+    → MUST include examples
+
+If the API or operation is secured, then also required:
+  - 401 Unauthorized
+  - 403 Forbidden
+
+If an operation explicitly disables security (`security: []`) or the API has no global security:
+  - 401 and 403 are NOT required
+
+All responses must conform to the Problem Details standard (RFC 9457).
+*/
+
+const REQUIRED_ALWAYS = ['400', '404', '500'];
+const REQUIRED_IF_SECURED = ['401', '403'];
+
+/**
+ * Checks if a response defines the application/problem+json content type.
+ */
+function hasProblemJsonContent(response) {
+  return Boolean(response?.content?.['application/problem+json']);
+}
+
+/**
+ * Checks if a response includes at least one example.
+ */
+function hasExamples(response) {
+  const content = response?.content?.['application/problem+json'];
+  return Boolean(content?.examples && Object.keys(content.examples).length);
+}
+
+/**
+ * Determines if security is enabled for the operation or globally.
+ */
+function isSecurityEnabled(operationSecurity, globalSecurity) {
+  if (Array.isArray(operationSecurity)) return operationSecurity.length > 0;
+  if (Array.isArray(globalSecurity)) return globalSecurity.length > 0;
+  return false;
+}
+
+/**
+ * Validates a single response for presence, media type, and examples.
+ */
+function validateResponseRequirement(responses, statusCode, requireExample) {
+  const issues = [];
+  const response = responses?.[statusCode];
+  if (!response) {
+    issues.push('missing response');
+    return { statusCode, issues };
+  }
+  if (!hasProblemJsonContent(response)) {
+    issues.push('missing application/problem+json');
+  }
+  if (requireExample && !hasExamples(response)) {
+    issues.push('missing example');
+  }
+  return issues.length ? { statusCode, issues } : null;
+}
+
+/**
+ * Spectral custom function to validate common error responses on operations.
+ */
+export default function validateCommonErrorResponses(targetVal, _opts, context) {
+  const operation = targetVal;
+  const responses = operation.responses || {};
+  const globalSecurity = context.document?.data?.security;
+  const operationSecurity = operation.security;
+  const securityEnabled = isSecurityEnabled(operationSecurity, globalSecurity);
+
+  const requiredStatusCodes = [
+    ...REQUIRED_ALWAYS,
+    ...(securityEnabled ? REQUIRED_IF_SECURED : [])
+  ];
+
+  const issues = requiredStatusCodes
+    .map(code => validateResponseRequirement(responses, code, true))
+    .filter(Boolean);
+
+  if (issues.length > 0) {
+    const details = issues
+      .map(item => `${item.statusCode} (${item.issues.join(', ')})`)
+      .join('; ');
+
+    return [{
+      message: `Each operation must define Problem Details for: ${requiredStatusCodes.join(', ')}. Issues: ${details}.`,
+      path: [...context.path, 'responses'],
+    }];
+  }
+
+  return [];
+}
diff --git a/ukhsa.oas.rules.yml b/ukhsa.oas.rules.yml
@@ -7,6 +7,7 @@ documentationUrl: https://refactored-chainsaw-8qmo7ge.pages.github.io/
 
 functions:
   - is-api-info-json-schema
+  - has-required-problem-details-error-responses
 
 functionsDir: functions
 
@@ -264,3 +265,22 @@ rules:
     recommended: true
     description: '`201 Created` responses to `POST` methods SHOULD have a `Location` header identifying the location of the newly created resource.'
     message: '{{error}}'
+
+  # MUST each operation include Problem Details error responses
+
+  must-define-common-problem-details-errors:
+    description: |
+      Each operation MUST declare HTTP error responses for:
+        • 400 Bad Request  
+        • 404 Not Found  
+        • 500 Internal Server Error  
+      If security is required (global or operation-level), also:
+        • 401 Unauthorized  
+        • 403 Forbidden  
+      All responses must use `application/problem+json` and include examples.
+    message: '{{error}}'
+    severity: error
+    recommended: true
+    given: $.paths[*][*]
+    then:
+      function: has-required-problem-details-error-responses
