diff --git a/README.md b/README.md index 3f41ed94..91cb13f0 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ This piece of middleware validates the parameters of incoming requests to make s |check_content_type | true | true | Specifies that `Content-Type` should be verified according to JSON Hyper-schema or OpenAPI 3 definition. | |check_header | true | true | Check header data using JSON Hyper-schema or OpenAPI 3 definition. | |coerce_date_times | false | true | Convert the string with `"format": "date-time"` parameter to DateTime object. | -|coerce_form_params| false | true | Tries to convert POST data encoded into an `application/x-www-form-urlencoded` body (where values are all strings) into concrete types required by the schema. This works for `null` (empty value), `integer` (numeric value without decimals), `number` (numeric value) and `boolean` ("true" is converted to `true` and "false" to `false`). If coercion is not possible, the original value is passed unchanged to schema validation. | +|coerce_form_params| false | true | Tries to convert request body values into concrete types required by the schema. In Hyper-Schema and OpenAPI 2, this is primarily used for `application/x-www-form-urlencoded` bodies. In OpenAPI 3, this option is used for request body validation more generally, including `application/json` bodies. This works for `null` (empty value), `integer` (numeric value without decimals), `number` (numeric value) and `boolean` ("true" is converted to `true` and "false" to `false`). If coercion is not possible, the original value is passed unchanged to schema validation. | |coerce_path_params| false | true | The same as `coerce_form_params`, but tries to coerce parameters encoded in a request's URL path. | |coerce_query_params| false | true | The same as `coerce_form_params`, but tries to coerce `GET` parameters encoded in a request's query string. | |coerce_recursive| false | always true | Coerce data in arrays and other nested objects | diff --git a/lib/committee/drivers/open_api_3/driver.rb b/lib/committee/drivers/open_api_3/driver.rb index 803a7b07..cfc57975 100644 --- a/lib/committee/drivers/open_api_3/driver.rb +++ b/lib/committee/drivers/open_api_3/driver.rb @@ -8,7 +8,8 @@ def default_coerce_date_times true end - # Whether parameters that were form-encoded will be coerced by default. + # Historically named for form params, but in OpenAPI 3 this flag controls + # request body coercion more generally. def default_coerce_form_params true end diff --git a/test/schema_validator/open_api_3/operation_wrapper_test.rb b/test/schema_validator/open_api_3/operation_wrapper_test.rb index e07e5461..e7d8db59 100644 --- a/test/schema_validator/open_api_3/operation_wrapper_test.rb +++ b/test/schema_validator/open_api_3/operation_wrapper_test.rb @@ -204,6 +204,24 @@ def operation_object @path = '/characters' operation_object.validate_request_params({}, { "limit" => "1" }, {}, HEADER, query_coercion_enabled) end + + it 'uses coerce_form_params for JSON request bodies too' do + @path = '/validate' + @method = 'post' + + body_coercion_disabled = Committee::SchemaValidator::Option.new({ coerce_form_params: false }, open_api_3_schema, :open_api_3) + body_coercion_enabled = Committee::SchemaValidator::Option.new({ coerce_form_params: true }, open_api_3_schema, :open_api_3) + + error = assert_raises(Committee::InvalidRequest) do + operation_object.validate_request_params({}, {}, { "integer" => "1" }, HEADER, body_coercion_disabled) + end + assert_match(/expected integer, but received String: "1"/i, error.message) + + body_params = { "integer" => "1" } + operation_object.validate_request_params({}, {}, body_params, HEADER, body_coercion_enabled) + + assert_kind_of(Integer, body_params["integer"]) + end end end end