Endpoint specificity ordering fails if overlapping endpoints use different parameter names #1089
Description
Describe the bug
Endpoints that have parameters that overlap in such a fashion that they must be ordered from most specific to least specific can break if the parameter names are not the same.
To Reproduce
Create two endpoints that require specificity ordering to work correctly with different parameter names. The endpoints that I had issues with were:
/endpoint/{app}/{uuid}/download
/endpoint/{app}/{refType}/{refId}
These must be checked in the order shown, but will actually be checked in reverse order.
Actual behavior
The second endpoint is checked before the first endpoint. Output from actual stackblitz example below is:
> node index.js
Server running on http://localhost:3000
Testing request to: /endpoint/myapp/1234/download
→ Status: 400
→ Body: {"error":"request/params/refId must be integer"}
Expected behavior
This should have checked the first endpoint first and produced this output:
> node index.js
Server running on http://localhost:3000
Testing request to: /endpoint/myapp/1234/download
→ Status: 200
→ Body: Matched /download route
Examples and context
Tested with these versions:
"express": "^5.1.0",
"express-openapi-validator": "^5.5.7",
Stackblitz reproducing the error here: https://stackblitz.com/edit/stackblitz-starters-et5ckbs4?file=index.js
The issue comes from this sorting function in openapi.spec.loader:
const sortRoutes = (r1, r2) => {
const e1 = r1.expressRoute.replace(/\/:/g, '/~');
const e2 = r2.expressRoute.replace(/\/:/g, '/~');
if (e1.startsWith(e2))
return -1;
else if (e2.startsWith(e1))
return 1;
return e1 > e2 ? 1 : -1;
};
This sorting function only properly orders routes if the route parameters are named the same across routes. If they are not named the same, this can instead cause validation failures. This function applied to the above endpoints results in them being reordered to:
/endpoint/:app/:refType/:refId
/endpoint/:app/:uuid/download
This results in validation failure.