[Web OpenApi] Request with Body not specified in OpenAPI is NOT rejected

[dprincethg]

Version

v4.3.1 - Vert.x OpenAPI

Context

In OpenAPI, when operation does not contain any "requestBody" description.

"paths" : { "/myPath" : { "post" : { "summary" : "bla bla", "operationId" : "myOperationId", "parameters" : ..., "responses" : ... } } }

A Request WITH a json body (content-type: application/json) is not rejected by the web-api router as expected.

Do you have a reproducer?

NO

Steps to reproduce

cf description

Extra

[ThorodanBrom]

In OpenAPI 3 at least, the request body is optional by default , see here. I think this is why the validation handler does not throw an error. If you explicitly do not want a request body to be sent, try setting required: false in the requestBody section, it might work.

We had a similar issue when the validation handler did not throw an error when a requestBody was defined in the OpenAPI spec, but an empty body was sent. There, setting required: true solved the issue.

Edit: Sorry, this did not work.

[dprincethg]

Hi @ThorodanBrom

Thanks for your reply.

Indeed, "required" property is not adapted for this issue.

1. "required: true" means Operation defines a Body and this body is mandated (MUST be present to all requests)
2. "required: false" means Operation defines a Body BUT this body presence is optional

My issue is different:

1. OA specifies that operation has not body so request MUST not have a Body (shall not be present).
2. Unfortunately , Vertx does not reject request with body

David

[dprincethg]

Hello,

Any news about this issue?

David

[pk-work]

I think this issue is tracked in eclipse-vertx/vertx-openapi#17, which also makes more sense as Web OpenAPI is deprecated.

Therefore I will close this issue. If I'm wrong please reopen the issue.

[pk-work]

Ah just see that this is about the request, not the response. So it is maybe already fixed in the new version of OpenAPI Router.