Request bodies moved out of parameters

[jharmn]

Problem description

Request bodies are currently specified in parameters as in: body. This has been addressed as an incongruence with other parameters throughout a variety of issues in meta #565, as well as discussions with tooling vendors, as well as many exceptions made for request bodies throughout the spec.

A number of issues arise from treating request body like other parameter locations (path, query, header) :

• name is meaningless in body, and is required. To underscore this, from the current spec (I would also argue this serves no documentation purpose):

The name of the body parameter has no effect on the parameter itself and is used for documentation purposes only

• Body parameters must be unique in the list of parameters. This currently has to be enforced/validated by tooling, as the array structure does not currently create any natural constraint. From Path Item Object

There can be one "body" parameter at most.

• In trying to add serialization schemes for complex non-body parameters (in added schema for all parameters #654), some trouble arises.
  • Request body is usually a media type like application/json, application/xml
  • Other parameters are typically either some sort of collection, and infrequently json, xml, etc.
• In adding examples to the body parameter (Add examples object #636), the examples aren’t really applicable to other parameter types.
• Throughout the spec, there are exceptions made for the inconsistency in the body parameter vs the other parameter types.

Proposed solution

• Move body parameter into it’s own key, peer-level to parameters.
• Simplify the request body object (vs parameter object), to remove name, in, required, and deprecated.
• Eliminate the use of examples in parameters (as media types are largely irrelevant). This was already unclear in the spec, and probably needs revision in another PR (as mentioned in Add examples object #636).

[ePaul]

• Eliminate the use of examples in parameters (as media types are largely irrelevant). This was already unclear in the spec, and probably needs revision in another PR (as mentioned in Add examples object #636).

While I think media types need separate considerations (see #146), I think the plural examples is still useful, i.e. the ability to give multiple examples. (Though this could live inside the schema object, not at the parameter level.)

[IvanGoncharov]

@jasonh-n-austin Cool PR 👍 definitely make spec less confusing.
But I disagree with removing required and deprecated.

You can make POST requests without body parameter, so you should have the ability to write required: false. For details, see this disscussion.

If you use the same schema to describe multiple body parameters, how you will deprecate only one of them? So body need it's own deprecate property.

[ePaul]

Actually I would omit it at the path item level, and have it only at the operation level.

I can't think of a single request body definition which would be plausibly the same for multiple, or even all, operations on the same path.

[jharmn]

I don't think it's super common, but I could see a case where the same type is used on multiple operations in the same path, with some exceptions. I'm not super tied to it, but since v2.0 has the concept for parameters, it seemed fair to keep it in splitting out requestBody.

[webron]

Adding to the people above and @whitlockjc's comment on the main thread - this just doesn't seem like a real case we need to handle. The idea behind parameters being at the POI was that people won't need to repeat common parameters - this makes sense for path parameters, query parameters and obviously header parameters. This doesn't make sense as much for payloads (form and body). You could argue there's a case where a single body can be used for both POST and PUT, and that a specific path doesn't have a GET/DELETE/... calls as well. So yes, but it feels like the edge of the edge.

Does adding support to it cost much? Probably not. Will it be used by enough APIs to justify it? Probably even less. So in favor of simplifying the tooling and considering there's a very easy alternative, I'd suggest we drop this from the POI.

[jharmn]

Agreed, I'll drop it.

[ePaul]

Deprecating a request body is only sensible when the operation previously had a body parameter, but in the future should be called without one. (Otherwise you would deprecate the whole operation.)

I guess this happens, but not that often, so I'm ambivalent if it is necessary.

Which might be happening more often would be passing a different body parameter (maybe with a different Content-Type), and then the old one will be deprecated. Enabling this at all belongs to #146, though. I guess a solution to that will also cover the case of "no body parameter".

[jharmn]

@IvanGoncharov this concept is meant to preclude the need for required. If no request body is needed, then one should not be specified. You could also specify a schema with nothing specified and get close the same net effect.

[webron]

I don't get it. If a requestBody is defined, how can it not have schema? Seems like schema needs to be required in this case.

Not sure we can avoid required here. To me, not stating a requestBody doesn't make it optional, it makes it 'ignored', 'unaccepted'.

We can argue whether there are cases that a payload can be optional, question is do we really want to not allow specifying it. We can make it implicitly required allowing people to explicitly set it as not-required if needed, covering most cases and reducing bloat.

[jharmn]

Adding required back in.

I'm specifying that it defaults to true, to avoid having to specify required: true for every request body (when that is probably the 90+% case).

[jharmn]

@IvanGoncharov I think @ePaul got it right here. In the case of an operation with a request body, the entire operation would be deprecated, but a request body would be very unlikely to be deprecated.

I intentionally didn't tackle multiple request bodies in this PR, to try and take a bite sized chunk of the complexity. Perhaps when we consider content-type-specific requests the deprecated issue comes back into focus.

On multiple request bodies (to be addressed in a future PR), to emphasize why it's not in here:
The additional complexity here is that the current structure uses one schema (the OpenAPI subset of JSON Schema) to describe all media types (which is, in itself, an issue), and examples are delineated by content-type.
If multiple request bodies (by content-type) are specified, then examples must be modified to unlink them from content-type.

[whitlockjc]

This should be requestBody instead of body.

[jharmn]

body should be requestBody here

[webron]

If we move formData parameters to the requestBody as well (and maybe even if not), perhaps a more suitable name would be payload (not a big fan of mixed-case names, body may be too obscure to some).

[whitlockjc]

My personal opinion is that having a path-level requestBody is not all that useful. Sure, there are some cases where the request body will have the same schema across all operations with a body but it could easily be confusing for operations where that isn't the case. I would much rather reuse things using references much like we do elsewhere using a $ref and so specifying a request body would be opt-in instead of opt-out in this case. I realize the thinking behind this was in the same vein around the ability now to set body parameters at the path-level but I'm not sure how useful even that is.

Would this require a global requests or requestBodies object to store the reusable schemas?

[jharmn]

@webron to look at how to deal with form urlencoded parameters.

[webron]

This is a good proposal. I'll add my comments to specific sections tackling the proposal as-is, then go over the formData parameters.

[webron]

Removing this description removes the restriction of using body parameters alongside formData parameters (which just can't happen). We either need to add it (probably in both places) or discuss moving formData parameters to the requestBody as well.

[webron]

Re examples - we may need to revisit it when we handle the content negotiation ticket.
Not sure how/why this changes the example for regular parameters though.

Re required - added my comments. Not sure we can avoid it.

Re deprecated - I tend to agree that if the body is deprecated, then the operation is deprecated. An alternative (and followup to above) to change it as marked to not being required - that should cover it.

@whitlockjc raises an important issue regarding reusable components - since requestBody is no longer a parameter, do we need to allow it under the new components construct? Not sure we can avoid it.

[jharmn]

• Fixed a typo and refined some language.
• Added required
• Removed path-level body

Now to look at formData.

[webron]

I'm trying to collect my thoughts around formData - my take is that we should try eliminating it and converging it with the requestBody - there are a few gotchas there but combining this PR with #654 allows us to solve many issues regarding formData (validation in conjunction with requestBody, allowing multiple file uploads, setting types for files and so on).

Hate bringing it up but regarding the name, are we set on requestBody? Was thinking of just payload, unless we're set on having the word request as part of it.

[webron]

Ugh, forgot to say, I think this can be merged, and I'll tackle the formData in a separate PR.

[wparad]

2 cents, please help rid the whole of formdata, either body or payload.

[webron]

This also resolved #278.

[webron]

Just noticed this - shouldn't the schema field be required? What does a request body mean without a schema?

[ralfhandl]

Some of our APIs use AtomPub-style "media resources", see https://tools.ietf.org/html/rfc5023#section-9.6. In this case the request body of a POST can have any media type, e.g. a picture or PDF document, so there's no schema.

[darrelmiller]

Many media types full describe the semantics of a body.