OpenAPI 3.0: no validation for request body parameters in try it out

[glowcloud]

Describe the bug you're encountering

Swagger UI does not show validation errors on try it out for object parameters in OpenAPI 3.0 specifications.

To reproduce...

Steps to reproduce the behavior:

1. Go to https://petstore3.swagger.io/
2. Navigate to /store/order POST request
3. Click on try it out button
4. Change id to test
5. Click on execute button
6. See no errors

Expected behavior

Swagger UI should validate incorrect input and show validation errors to the user. The errors will show for 2.0 specifications and for primitive parameters in 3.0:

[glowcloud]

It looks to me like we don't validate parameters at all for application/json and application/xml.

When checking for required fields, we skip the JSON validation:

swagger-ui/src/core/plugins/oas3/selectors.js

Lines 270 to 272 in 834fe0a

	// context: json => String; urlencoded, form-data => Map
	if (!Map.isMap(oas3RequestBodyValue)) {
	return missingRequiredKeys

If the request content type is set to application/x-www-form-urlencoded, the validation of required parameters is being done, although it looks to me like it might be missing for arrays. There's also no validation of types. In the screenshot, id is a string instead of integer and the photoUrls array is empty but there's no error. The required name is correctly shown as missing.

Here's the result of execution with correctly added name but empty photoUrls

It looks like the only validation for application/json and application/xml is done for the required requestBody itself:

[glowcloud]

There is also an issue with OpenAPI 2.0 - we don't validate required parameters in bodies but we do validate their types. It seems that the issue lies here:

swagger-ui/src/core/utils.js

Lines 488 to 494 in 1ce9ce0

	if(schema && schema.has("required") && isFunc(requiredBySchema.isList) && requiredBySchema.isList()) {
	requiredBySchema.forEach(key => {
	if(objectVal[key] === undefined) {
	errors.push({ propKey: key, error: "Required property not found" })
	}
	})
	}

We should be using List.isList(requiredBySchema) in this if check.

For OpenAPI 3.0, it looks like here

swagger-ui/src/core/plugins/spec/reducers.js

Line 88 in 1ce9ce0

const paramValues = parameterValues(state, pathMethod).toJS()

we're not getting the parameters for request body because, from looking at the OAS3 reducers, ex. here

swagger-ui/src/core/plugins/oas3/reducers.js

Line 43 in 1ce9ce0

return state.setIn(["requestData", path, method, "bodyValue"], newVal)

we're setting them in a different path that isn't being checked when we get the params.

We have a method that should be validating request body separately

swagger-ui/src/core/components/execute.jsx

Line 24 in 1ce9ce0

handleValidateRequestBody = () => {

but it looks like we don't check the types of values there at all and, as mentioned before:

When checking for required fields, we skip the JSON validation:

swagger-ui/src/core/plugins/oas3/selectors.js

Lines 270 to 272 in 834fe0a

	// context: json => String; urlencoded, form-data => Map
	if (!Map.isMap(oas3RequestBodyValue)) {
	return missingRequiredKeys

[JaredAAT]

Again, I remain unconvinced that the client should be validating the input, it should be down to the server to validate what is being sent. There are good reasons why you may want to send invalid payloads from the client.