fix: skip request body validation gracefully instead of throwing error#2188
Open
bobbiejaxn wants to merge 2 commits intoasyncapi:masterfrom
Open
fix: skip request body validation gracefully instead of throwing error#2188bobbiejaxn wants to merge 2 commits intoasyncapi:masterfrom
bobbiejaxn wants to merge 2 commits intoasyncapi:masterfrom
Conversation
bobbiejaxn
requested review from
AayushSaini101,
Amzani,
Shurtu-gal,
Souvikns and
asyncapi-bot-eve
as code owners
🦋 Changeset detectedLatest commit: 8dee99f The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Fixes asyncapi#1987 Two bugs fixed: 1. Unsafe access to requestBody.content['application/json'].schema crashes with TypeError when application/json is not a content type (e.g., multipart/form-data, text/plain). Fixed with optional chaining to safely check content type before accessing schema. 2. When compileAjv returns undefined (no requestBody or no JSON schema), the middleware incorrectly threw 'Request body validation is not supported' error. This is wrong - methods without request bodies (like GET, DELETE) simply don't need body validation, and endpoints with non-JSON content types should silently skip rather than error. Fixed to pass through instead of throwing.
bobbiejaxn
force-pushed
the
fix/issue-1987-request-body-validation
branch
from
d6053e5 to
8dee99f
Compare
Author
|
Rebased on latest Ready for review: @Souvikns @Shurtu-gal @AayushSaini101 This is part of the MICROGRANT Program 2026-05. |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1987
The Bug
When using request validation in the CLI, request body validation is skipped or reported as unsupported for certain paths or HTTP methods, even when a valid request body schema is defined. Two specific issues:
Bug 1: Unsafe property access crashes validation
requestBody.content["'application/json'].schemathrowsTypeError: Cannot read properties of undefinedwhen the content type is notapplication/json(e.g.,multipart/form-data,text/plain, or missing entirely).Before: Direct property access crashes or returns undefined
After: Optional chaining
requestBody.content?.["application/json"]?.schemasafely handles missing content typesBug 2: Incorrect error for endpoints without request bodies
When
compileAjv()returnsundefined(because the method has no requestBody, like GET/DELETE, or the requestBody has no JSON schema), the middleware threw:This is wrong. Methods without request bodies simply don't need body validation — it's not an error condition. Endpoints with non-JSON content types should silently skip rather than error.
Before: Throws 422 error
After: Silently passes through to document validation
Testing
This mirrors the fix in #2128 but is more surgical — only touches
validation.middleware.tsand does not include the unrelated URL parsing changes from #1940 (which is addressed separately in #2187).Scope
This PR only fixes the request body validation bug (#1987). It does not touch the URL parsing or file extension detection (those are in #2187 for #1940).