Refactor OpenAPI document generation and optimize schema creation

Copilot · JerryNixon · Copilot · commit 08aa6561f946 · 2026-02-16T17:02:18.000Z
Architectural improvements per @JerryNixon feedback: 1. **Extract shared document building logic**: - New `BuildOpenApiDocument` method contains shared logic for both superset and role-specific documents - Eliminates duplication between `CreateDocument` and `GenerateDocumentForRole` - Future changes to document structure only need to be made in one place 2. **Validate role parameter doesn't contain path separators**: - Added check to reject roles containing '/' (e.g., /openapi/foo/bar) - Ensures role parameter is a single segment, not a multi-part path 3. **Only generate request body schemas when mutation operations exist**: - Check `GetConfiguredRestOperations` before creating _NoAutoPK and _NoPK schemas - For tables/views: only generate if POST, PUT, or PATCH operations are available - For stored procedures: only generate _sp_request if operations that use it exist - Reduces document size and eliminates unused schemas for read-only entities These changes improve code maintainability, prevent route confusion, and optimize document size. Co-authored-by: JerryNixon <1749983+JerryNixon@users.noreply.github.com>
diff --git a/src/Core/Services/OpenAPI/OpenApiDocumentor.cs b/src/Core/Services/OpenAPI/OpenApiDocumentor.cs
@@ -176,6 +176,20 @@ public bool TryGetDocumentForRole(string role, [NotNullWhen(true)] out string? d
         /// Generates an OpenAPI document filtered for a specific role.
         /// </summary>
         private OpenApiDocument? GenerateDocumentForRole(RuntimeConfig runtimeConfig, string role)
+        {
+            string title = $"{DOCUMENTOR_UI_TITLE} - {role}";
+            return BuildOpenApiDocument(runtimeConfig, role, title);
+        }
+
+        /// <summary>
+        /// Builds an OpenAPI document with optional role-based filtering.
+        /// Shared logic for both superset and role-specific document generation.
+        /// </summary>
+        /// <param name="runtimeConfig">Runtime configuration.</param>
+        /// <param name="role">Optional role to filter permissions. If null, returns superset of all roles.</param>
+        /// <param name="title">Document title.</param>
+        /// <returns>OpenAPI document.</returns>
+        private OpenApiDocument BuildOpenApiDocument(RuntimeConfig runtimeConfig, string? role, string title)
         {
             string restEndpointPath = runtimeConfig.RestPath;
             string? runtimeBaseRoute = runtimeConfig.Runtime?.BaseRoute;
@@ -208,8 +222,7 @@ public bool TryGetDocumentForRole(string role, [NotNullWhen(true)] out string? d
                 Info = new OpenApiInfo
                 {
                     Version = ProductInfo.GetProductVersion(),
-                    // Use the role name directly since it was already validated to exist in permissions
-                    Title = $"{DOCUMENTOR_UI_TITLE} - {role}"
+                    Title = title
                 },
                 Servers = new List<OpenApiServer>
                 {
@@ -250,48 +263,7 @@ public void CreateDocument(bool doOverrideExistingDocument = false)
 
             try
             {
-                string restEndpointPath = runtimeConfig.RestPath;
-                string? runtimeBaseRoute = runtimeConfig.Runtime?.BaseRoute;
-                string url = string.IsNullOrEmpty(runtimeBaseRoute) ? restEndpointPath : runtimeBaseRoute + "/" + restEndpointPath;
-                OpenApiComponents components = new()
-                {
-                    Schemas = CreateComponentSchemas(runtimeConfig.Entities, runtimeConfig.DefaultDataSourceName, role: null, isRequestBodyStrict: runtimeConfig.IsRequestBodyStrict)
-                };
-
-                // Collect all entity tags and their descriptions for the top-level tags array
-                // Only include entities that have REST enabled and at least one available operation
-                List<OpenApiTag> globalTags = new();
-                foreach (KeyValuePair<string, Entity> kvp in runtimeConfig.Entities)
-                {
-                    Entity entity = kvp.Value;
-                    if (!entity.Rest.Enabled || !HasAnyAvailableOperations(entity))
-                    {
-                        continue;
-                    }
-
-                    string restPath = entity.Rest?.Path ?? kvp.Key;
-                    globalTags.Add(new OpenApiTag
-                    {
-                        Name = restPath,
-                        Description = string.IsNullOrWhiteSpace(entity.Description) ? null : entity.Description
-                    });
-                }
-
-                OpenApiDocument doc = new()
-                {
-                    Info = new OpenApiInfo
-                    {
-                        Version = ProductInfo.GetProductVersion(),
-                        Title = DOCUMENTOR_UI_TITLE
-                    },
-                    Servers = new List<OpenApiServer>
-                    {
-                        new() { Url = url }
-                    },
-                    Paths = BuildPaths(runtimeConfig.Entities, runtimeConfig.DefaultDataSourceName),
-                    Components = components,
-                    Tags = globalTags
-                };
+                OpenApiDocument doc = BuildOpenApiDocument(runtimeConfig, role: null, title: DOCUMENTOR_UI_TITLE);
                 _openApiDocument = doc;
             }
             catch (Exception ex)
@@ -1314,13 +1286,21 @@ private Dictionary<string, OpenApiSchema> CreateComponentSchemas(RuntimeEntities
                 // Filter fields based on the superset of permissions across all roles (or specific role)
                 exposedColumnNames = FilterFieldsByPermissions(entity, exposedColumnNames, role);
 
+                // Get configured operations to determine which schemas to generate
+                Dictionary<OperationType, bool> configuredOps = GetConfiguredRestOperations(entity, dbObject, role);
+                bool hasPostOperation = configuredOps.GetValueOrDefault(OperationType.Post);
+                bool hasPutPatchOperation = configuredOps.GetValueOrDefault(OperationType.Put) || configuredOps.GetValueOrDefault(OperationType.Patch);
+
                 HashSet<string> nonAutoGeneratedPKColumnNames = new();
 
                 if (dbObject.SourceType is EntitySourceType.StoredProcedure)
                 {
-                    // Request body schema whose properties map to stored procedure parameters
-                    DatabaseStoredProcedure spObject = (DatabaseStoredProcedure)dbObject;
-                    schemas.Add(entityName + SP_REQUEST_SUFFIX, CreateSpRequestComponentSchema(fields: spObject.StoredProcedureDefinition.Parameters, isRequestBodyStrict: isRequestBodyStrict));
+                    // Only generate request body schema if SP has operations that use it
+                    if (hasPostOperation || hasPutPatchOperation)
+                    {
+                        DatabaseStoredProcedure spObject = (DatabaseStoredProcedure)dbObject;
+                        schemas.Add(entityName + SP_REQUEST_SUFFIX, CreateSpRequestComponentSchema(fields: spObject.StoredProcedureDefinition.Parameters, isRequestBodyStrict: isRequestBodyStrict));
+                    }
 
                     // Response body schema whose properties map to the stored procedure's first result set columns
                     // as described by sys.dm_exec_describe_first_result_set. 
@@ -1334,43 +1314,47 @@ private Dictionary<string, OpenApiSchema> CreateComponentSchemas(RuntimeEntities
                     // Response schemas don't need additionalProperties restriction
                     schemas.Add(entityName, CreateComponentSchema(entityName, fields: exposedColumnNames, metadataProvider, entities, isRequestBodySchema: false));
 
-                    // Create an entity's request body component schema excluding autogenerated primary keys.
-                    // A POST request requires any non-autogenerated primary key references to be in the request body.
-                    foreach (string primaryKeyColumn in sourceDefinition.PrimaryKey)
+                    // Only generate request body schemas if mutation operations are available
+                    if (hasPostOperation || hasPutPatchOperation)
                     {
-                        // Non-Autogenerated primary key(s) should appear in the request body.
-                        if (!sourceDefinition.Columns[primaryKeyColumn].IsAutoGenerated)
+                        // Create an entity's request body component schema excluding autogenerated primary keys.
+                        // A POST request requires any non-autogenerated primary key references to be in the request body.
+                        foreach (string primaryKeyColumn in sourceDefinition.PrimaryKey)
                         {
-                            nonAutoGeneratedPKColumnNames.Add(primaryKeyColumn);
-                            continue;
-                        }
+                            // Non-Autogenerated primary key(s) should appear in the request body.
+                            if (!sourceDefinition.Columns[primaryKeyColumn].IsAutoGenerated)
+                            {
+                                nonAutoGeneratedPKColumnNames.Add(primaryKeyColumn);
+                                continue;
+                            }
 
-                        if (metadataProvider.TryGetExposedColumnName(entityName, backingFieldName: primaryKeyColumn, out string? exposedColumnName)
-                            && exposedColumnName is not null)
-                        {
-                            exposedColumnNames.Remove(exposedColumnName);
+                            if (metadataProvider.TryGetExposedColumnName(entityName, backingFieldName: primaryKeyColumn, out string? exposedColumnName)
+                                && exposedColumnName is not null)
+                            {
+                                exposedColumnNames.Remove(exposedColumnName);
+                            }
                         }
-                    }
 
-                    // Request body schema for POST - apply additionalProperties based on strict mode
-                    schemas.Add($"{entityName}_NoAutoPK", CreateComponentSchema(entityName, fields: exposedColumnNames, metadataProvider, entities, isRequestBodySchema: true, isRequestBodyStrict: isRequestBodyStrict));
+                        // Request body schema for POST - apply additionalProperties based on strict mode
+                        schemas.Add($"{entityName}_NoAutoPK", CreateComponentSchema(entityName, fields: exposedColumnNames, metadataProvider, entities, isRequestBodySchema: true, isRequestBodyStrict: isRequestBodyStrict));
 
-                    // Create an entity's request body component schema excluding all primary keys
-                    // by removing the tracked non-autogenerated primary key column names and removing them from
-                    // the exposedColumnNames collection.
-                    // The schema component without primary keys is used for PUT and PATCH operation request bodies because
-                    // those operations require all primary key references to be in the URI path, not the request body.
-                    foreach (string primaryKeyColumn in nonAutoGeneratedPKColumnNames)
-                    {
-                        if (metadataProvider.TryGetExposedColumnName(entityName, backingFieldName: primaryKeyColumn, out string? exposedColumnName)
-                            && exposedColumnName is not null)
+                        // Create an entity's request body component schema excluding all primary keys
+                        // by removing the tracked non-autogenerated primary key column names and removing them from
+                        // the exposedColumnNames collection.
+                        // The schema component without primary keys is used for PUT and PATCH operation request bodies because
+                        // those operations require all primary key references to be in the URI path, not the request body.
+                        foreach (string primaryKeyColumn in nonAutoGeneratedPKColumnNames)
                         {
-                            exposedColumnNames.Remove(exposedColumnName);
+                            if (metadataProvider.TryGetExposedColumnName(entityName, backingFieldName: primaryKeyColumn, out string? exposedColumnName)
+                                && exposedColumnName is not null)
+                            {
+                                exposedColumnNames.Remove(exposedColumnName);
+                            }
                         }
-                    }
 
-                    // Request body schema for PUT/PATCH - apply additionalProperties based on strict mode
-                    schemas.Add($"{entityName}_NoPK", CreateComponentSchema(entityName, fields: exposedColumnNames, metadataProvider, entities, isRequestBodySchema: true, isRequestBodyStrict: isRequestBodyStrict));
+                        // Request body schema for PUT/PATCH - apply additionalProperties based on strict mode
+                        schemas.Add($"{entityName}_NoPK", CreateComponentSchema(entityName, fields: exposedColumnNames, metadataProvider, entities, isRequestBodySchema: true, isRequestBodyStrict: isRequestBodyStrict));
+                    }
                 }
             }
 
diff --git a/src/Service/Controllers/RestController.cs b/src/Service/Controllers/RestController.cs
@@ -243,8 +243,16 @@ private async Task<IActionResult> HandleOperation(
                         return NotFound();
                     }
 
-                    string role = Uri.UnescapeDataString(routeAfterPathBase.Substring(OpenApiDocumentor.OPENAPI_ROUTE.Length + 1));
-                    if (!string.IsNullOrEmpty(role) && _openApiDocumentor.TryGetDocumentForRole(role, out string? roleDocument))
+                    string role = Uri.UnescapeDataString(
+                        routeAfterPathBase.Substring(OpenApiDocumentor.OPENAPI_ROUTE.Length + 1));
+
+                    // Validate role doesn't contain path separators (reject /openapi/foo/bar)
+                    if (string.IsNullOrEmpty(role) || role.Contains('/'))
+                    {
+                        return NotFound();
+                    }
+
+                    if (_openApiDocumentor.TryGetDocumentForRole(role, out string? roleDocument))
                     {
                         return Content(roleDocument, MediaTypeNames.Application.Json);
                     }

Original file line number	Diff line number	Diff line change
`@@ -243,8 +243,16 @@ private async Task<IActionResult> HandleOperation(`
`243`	`243`	`return NotFound();`
`244`	`244`	`}`
`245`	`245`
`246`		`- string role = Uri.UnescapeDataString(routeAfterPathBase.Substring(OpenApiDocumentor.OPENAPI_ROUTE.Length + 1));`
`247`		`- if (!string.IsNullOrEmpty(role) && _openApiDocumentor.TryGetDocumentForRole(role, out string? roleDocument))`
	`246`	`+ string role = Uri.UnescapeDataString(`
	`247`	`+ routeAfterPathBase.Substring(OpenApiDocumentor.OPENAPI_ROUTE.Length + 1));`
	`248`	`+`
	`249`	`+ // Validate role doesn't contain path separators (reject /openapi/foo/bar)`
	`250`	`+ if (string.IsNullOrEmpty(role) \|\| role.Contains('/'))`
	`251`	`+ {`
	`252`	`+ return NotFound();`
	`253`	`+ }`
	`254`	`+`
	`255`	`+ if (_openApiDocumentor.TryGetDocumentForRole(role, out string? roleDocument))`
`248`	`256`	`{`
`249`	`257`	`return Content(roleDocument, MediaTypeNames.Application.Json);`
`250`	`258`	`}`