Validate keys given to operation/2 macro

xxdavid · xxdavid · commit cd50619dcf1c · 2025-07-22T16:50:14.000+02:00
diff --git a/lib/open_api_spex/controller_specs.ex b/lib/open_api_spex/controller_specs.ex
@@ -375,6 +375,35 @@ defmodule OpenApiSpex.ControllerSpecs do
   def operation_spec(_module, _action, false = _spec), do: nil
 
   def operation_spec(module, action, spec) do
+    allowed_keys = [
+      :callbacks,
+      :description,
+      :deprecated,
+      :external_docs,
+      :operation_id,
+      :parameters,
+      :request_body,
+      :responses,
+      :security,
+      :summary,
+      :tags
+    ]
+
+    validation_result =
+      spec
+      |> Enum.reject(fn {key, _val} -> extension_key?(key) end)
+      |> Keyword.validate(allowed_keys)
+
+    case validation_result do
+      {:ok, _spec} ->
+        :ok
+
+      {:error, unknown_keys} ->
+        raise ArgumentError,
+              "Unknown keys given to operation/2: #{inspect(unknown_keys)}. " <>
+                "Allowed keys are: #{inspect(allowed_keys)}, and keys starting with 'x-'."
+    end
+
     spec = Map.new(spec)
     shared_tags = Module.get_attribute(module, :shared_tags, []) |> List.flatten()
 
@@ -386,9 +415,7 @@ defmodule OpenApiSpex.ControllerSpecs do
 
     extensions =
       spec
-      |> Enum.filter(fn {key, _val} ->
-        is_atom(key) && String.starts_with?(to_string(key), "x-")
-      end)
+      |> Enum.filter(fn {key, _val} -> extension_key?(key) end)
       |> Map.new(fn {key, value} -> {to_string(key), value} end)
 
     %Operation{
@@ -406,4 +433,8 @@ defmodule OpenApiSpex.ControllerSpecs do
       extensions: extensions
     }
   end
+
+  defp extension_key?(key) do
+    is_atom(key) && String.starts_with?(to_string(key), "x-")
+  end
 end
diff --git a/test/controller_specs_test.exs b/test/controller_specs_test.exs
@@ -7,7 +7,7 @@ defmodule OpenApiSpex.ControllerSpecsTest do
   alias OpenApiSpexTest.DslController
   alias OpenApiSpexTest.DslControllerOperationStructs
 
-  describe "operation/1" do
+  describe "operation/2" do
     test "supports :parameters" do
       assert %OpenApiSpex.Operation{
                responses: %{},
@@ -157,5 +157,39 @@ defmodule OpenApiSpex.ControllerSpecsTest do
       assert %OpenApiSpex.Operation{extensions: %{"x-foo" => "bar"}} =
                DslController.open_api_operation(:index)
     end
+
+    test "raises when unknown key is provided" do
+      msg =
+        "Unknown keys given to operation/2: [:unknown]. Allowed keys are: " <>
+          "[:callbacks, :description, :deprecated, :external_docs, :operation_id, :parameters, " <>
+          ":request_body, :responses, :security, :summary, :tags], and keys starting with 'x-'."
+
+      assert_raise ArgumentError, msg, fn ->
+        Code.eval_string("""
+        defmodule TestController do
+          use OpenApiSpex.ControllerSpecs
+
+          operation :index,
+            summary: "Users index",
+            parameters: [
+              username: [
+                in: :query,
+                description: "Filter by username",
+                type: :string
+              ]
+            ],
+            responses: [
+              ok: {"Users index response", "application/json", UsersIndexResponse}
+            ],
+            unknown: "value",
+            "x-foo": "bar"
+
+          def index(conn, _) do
+            json(conn, [])
+          end
+        end
+        """)
+      end
+    end
   end
 end
