feat: support rejecting when request body present but not required by specification

Mark Pierce · Mark Pierce · commit 70fbd7b7bf96 · 2025-09-26T08:41:14.000+01:00
diff --git a/.github/docs/openapi3filter.txt b/.github/docs/openapi3filter.txt
@@ -238,6 +238,9 @@ type Options struct {
 	// Set RegexCompiler to override the regex implementation
 	RegexCompiler openapi3.RegexCompilerFunc
 
+	// Set RejectWhenRequestBodyNotSpecified so ValidateRequest fails when request body is present but not defined in the specification
+	RejectWhenRequestBodyNotSpecified bool
+
 	// A document with security schemes defined will not pass validation
 	// unless an AuthenticationFunc is defined.
 	// See NoopAuthenticationFunc
diff --git a/openapi3filter/options.go b/openapi3filter/options.go
@@ -28,6 +28,9 @@ type Options struct {
 	// Set RegexCompiler to override the regex implementation
 	RegexCompiler openapi3.RegexCompilerFunc
 
+	// Set RejectWhenRequestBodyNotSpecified so ValidateRequest fails when request body is present but not defined in the specification
+	RejectWhenRequestBodyNotSpecified bool
+
 	// A document with security schemes defined will not pass validation
 	// unless an AuthenticationFunc is defined.
 	// See NoopAuthenticationFunc
diff --git a/openapi3filter/validate_request.go b/openapi3filter/validate_request.go
@@ -90,12 +90,23 @@ func ValidateRequest(ctx context.Context, input *RequestValidationInput) error {
 
 	// RequestBody
 	requestBody := operation.RequestBody
-	if requestBody != nil && !options.ExcludeRequestBody {
-		if err := ValidateRequestBody(ctx, input, requestBody.Value); err != nil {
-			if !options.MultiError {
-				return err
+	if !options.ExcludeRequestBody {
+		// Validate specification request body if present
+		if requestBody != nil {
+			if err := ValidateRequestBody(ctx, input, requestBody.Value); err != nil {
+				if !options.MultiError {
+					return err
+				}
+				me = append(me, err)
+			}
+		}
+
+		// Reject if specification request body if not present (not wanted) but is present in the HTTP request
+		if options.RejectWhenRequestBodyNotSpecified && input.Request.ContentLength > 0 {
+			return &RequestError{
+				Input: input,
+				Err:   fmt.Errorf("request body not allowed for this request"),
 			}
-			me = append(me, err)
 		}
 	}
 
