feat: support rejecting when request body present but not required by specification

Mark Pierce · Mark Pierce · commit 65fcc374e5bd · 2025-09-27T10:08:04.000+01:00
diff --git a/.github/docs/openapi3filter.txt b/.github/docs/openapi3filter.txt
@@ -238,6 +238,9 @@ type Options struct {
 	// Set RegexCompiler to override the regex implementation
 	RegexCompiler openapi3.RegexCompilerFunc
 
+	// Set RejectWhenRequestBodyNotSpecified so ValidateRequest fails when request body is present but not defined in the specification
+	RejectWhenRequestBodyNotSpecified bool
+
 	// A document with security schemes defined will not pass validation
 	// unless an AuthenticationFunc is defined.
 	// See NoopAuthenticationFunc
diff --git a/openapi3filter/options.go b/openapi3filter/options.go
@@ -28,6 +28,9 @@ type Options struct {
 	// Set RegexCompiler to override the regex implementation
 	RegexCompiler openapi3.RegexCompilerFunc
 
+	// Set RejectWhenRequestBodyNotSpecified so ValidateRequest fails when request body is present but not defined in the specification
+	RejectWhenRequestBodyNotSpecified bool
+
 	// A document with security schemes defined will not pass validation
 	// unless an AuthenticationFunc is defined.
 	// See NoopAuthenticationFunc
diff --git a/openapi3filter/testdata/issue1100_test.go b/openapi3filter/testdata/issue1100_test.go
@@ -0,0 +1,110 @@
+package openapi3filter
+
+import (
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/getkin/kin-openapi/openapi3filter"
+	"github.com/stretchr/testify/require"
+
+	"github.com/getkin/kin-openapi/openapi3"
+	"github.com/getkin/kin-openapi/routers/gorillamux"
+)
+
+func TestIssue1100(t *testing.T) {
+	spec := `
+openapi: 3.0.3
+info:
+  version: 1.0.0
+  title: sample api
+  description: api service paths to test the issue
+paths:
+  /api/path:
+    post:
+      summary: path
+      tags:
+        - api
+      responses:
+        '200':
+          description: Ok
+    `[1:]
+
+	loader := openapi3.NewLoader()
+
+	doc, err := loader.LoadFromData([]byte(spec))
+	require.NoError(t, err)
+
+	err = doc.Validate(loader.Context)
+	require.NoError(t, err)
+
+	router, err := gorillamux.NewRouter(doc)
+	require.NoError(t, err)
+
+	for _, testcase := range []struct {
+		name       string
+		endpoint   string
+		ct         string
+		data       string
+		rejectBody bool
+		shouldFail bool
+	}{
+		{
+			name:       "json success",
+			endpoint:   "/api/path",
+			ct:         "application/json",
+			data:       ``,
+			rejectBody: false,
+			shouldFail: false,
+		},
+		{
+			name:       "json failure",
+			endpoint:   "/api/path",
+			ct:         "application/json",
+			data:       `{"data":"some+unexpected+data"}`,
+			rejectBody: false,
+			shouldFail: false,
+		},
+		{
+			name:       "json success",
+			endpoint:   "/api/path",
+			ct:         "application/json",
+			data:       ``,
+			rejectBody: true,
+			shouldFail: false,
+		},
+		{
+			name:       "json failure",
+			endpoint:   "/api/path",
+			ct:         "application/json",
+			data:       `{"data":"some+unexpected+data"}`,
+			rejectBody: true,
+			shouldFail: true,
+		},
+	} {
+		t.Run(
+			testcase.name, func(t *testing.T) {
+				data := strings.NewReader(testcase.data)
+				req, err := http.NewRequest("POST", testcase.endpoint, data)
+				require.NoError(t, err)
+				req.Header.Add("Content-Type", testcase.ct)
+
+				route, pathParams, err := router.FindRoute(req)
+				require.NoError(t, err)
+
+				validationInput := &openapi3filter.RequestValidationInput{
+					Request:    req,
+					PathParams: pathParams,
+					Route:      route,
+					Options:    &openapi3filter.Options{RejectWhenRequestBodyNotSpecified: testcase.rejectBody},
+				}
+				err = openapi3filter.ValidateRequest(loader.Context, validationInput)
+				if testcase.shouldFail {
+					require.Error(t, err, "This test case should fail "+testcase.data)
+				} else {
+					require.NoError(t, err, "This test case should pass "+testcase.data)
+				}
+			},
+		)
+	}
+}
diff --git a/openapi3filter/validate_request.go b/openapi3filter/validate_request.go
@@ -90,8 +90,23 @@ func ValidateRequest(ctx context.Context, input *RequestValidationInput) error {
 
 	// RequestBody
 	requestBody := operation.RequestBody
-	if requestBody != nil && !options.ExcludeRequestBody {
-		if err := ValidateRequestBody(ctx, input, requestBody.Value); err != nil {
+	if !options.ExcludeRequestBody {
+		// Validate specification request body if present
+		if requestBody != nil {
+			if err := ValidateRequestBody(ctx, input, requestBody.Value); err != nil {
+				if !options.MultiError {
+					return err
+				}
+				me = append(me, err)
+			}
+		}
+
+		// Reject if specification request body if not present (not wanted) but is present in the HTTP request
+		if options.RejectWhenRequestBodyNotSpecified && input.Request.ContentLength > 0 {
+			err := &RequestError{
+				Input: input,
+				Err:   fmt.Errorf("request body not allowed for this request"),
+			}
 			if !options.MultiError {
 				return err
 			}
@@ -193,22 +208,34 @@ func ValidateParameter(ctx context.Context, input *RequestValidationInput, param
 			case openapi3.ParameterInHeader:
 				req.Header.Add(parameter.Name, fmt.Sprint(value))
 			case openapi3.ParameterInCookie:
-				req.AddCookie(&http.Cookie{
-					Name:  parameter.Name,
-					Value: fmt.Sprint(value),
-				})
+				req.AddCookie(
+					&http.Cookie{
+						Name:  parameter.Name,
+						Value: fmt.Sprint(value),
+					},
+				)
 			}
 		}
 	}
 
 	// Validate a parameter's value and presence.
 	if parameter.Required && !found {
-		return &RequestError{Input: input, Parameter: parameter, Reason: ErrInvalidRequired.Error(), Err: ErrInvalidRequired}
+		return &RequestError{
+			Input:     input,
+			Parameter: parameter,
+			Reason:    ErrInvalidRequired.Error(),
+			Err:       ErrInvalidRequired,
+		}
 	}
 
 	if isNilValue(value) {
 		if !parameter.AllowEmptyValue && found {
-			return &RequestError{Input: input, Parameter: parameter, Reason: ErrInvalidEmptyValue.Error(), Err: ErrInvalidEmptyValue}
+			return &RequestError{
+				Input:     input,
+				Parameter: parameter,
+				Reason:    ErrInvalidEmptyValue.Error(),
+				Err:       ErrInvalidEmptyValue,
+			}
 		}
 		return nil
 	}
@@ -372,7 +399,11 @@ func ValidateRequestBody(ctx context.Context, input *RequestValidationInput, req
 // ValidateSecurityRequirements goes through multiple OpenAPI 3 security
 // requirements in order and returns nil on the first valid requirement.
 // If no requirement is met, errors are returned in order.
-func ValidateSecurityRequirements(ctx context.Context, input *RequestValidationInput, srs openapi3.SecurityRequirements) error {
+func ValidateSecurityRequirements(
+	ctx context.Context,
+	input *RequestValidationInput,
+	srs openapi3.SecurityRequirements,
+) error {
 	if len(srs) == 0 {
 		return nil
 	}
@@ -394,7 +425,11 @@ func ValidateSecurityRequirements(ctx context.Context, input *RequestValidationI
 }
 
 // validateSecurityRequirement validates a single OpenAPI 3 security requirement
-func validateSecurityRequirement(ctx context.Context, input *RequestValidationInput, securityRequirement openapi3.SecurityRequirement) error {
+func validateSecurityRequirement(
+	ctx context.Context,
+	input *RequestValidationInput,
+	securityRequirement openapi3.SecurityRequirement,
+) error {
 	names := make([]string, 0, len(securityRequirement))
 	for name := range securityRequirement {
 		names = append(names, name)
@@ -467,12 +502,14 @@ func validateSecurityRequirement(ctx context.Context, input *RequestValidationIn
 			}
 		}
 
-		if err := f(ctx, &AuthenticationInput{
-			RequestValidationInput: input,
-			SecuritySchemeName:     name,
-			SecurityScheme:         securityScheme,
-			Scopes:                 scopes,
-		}); err != nil {
+		if err := f(
+			ctx, &AuthenticationInput{
+				RequestValidationInput: input,
+				SecuritySchemeName:     name,
+				SecurityScheme:         securityScheme,
+				Scopes:                 scopes,
+			},
+		); err != nil {
 			return err
 		}
 	}
