Missing body when required should yield 400

[malcolmsparks]

From Slack

ijbriscoe [12:52 PM]
Query about :parameters. I'm using a schema to validate the body, and it works fine - if there is a body! If I omit the body, no validation. Is this by design or a bug? I would expect an empty body to result in an error, as (s/validate SomeSchema nil) does (edited)

I think this is a bug.

[markwoodhall]

Hi! I've been doing a little bit of investigation into this and I wouldn't mind having a go at fixing it, if indeed it needs fixing.

What I've found out so far is that process-request-body (https://github.com/juxt/yada/blob/master/src/yada/interceptors.clj#L195) considers RFC 7230 - Section 3.3.

Given that for an empty body we have a Content-Length of 0 yada decides not to process the request body and therefore never hits the part of the pipeline that would cause schema validation of the body to fail.

A simple fix for this could be to change process-request-body so that it results in a 400 if there is no Content-Length or Transfer-Encoding and the resource defines a :parameters :body schema for the appropriate http method. At this point in time we won't have done any schema validation, so the error message would be rather generic. Which is a bit of a shame.

Did anyone have any ideas around this already?

[malcolmsparks]

I think this approach makes sense. If no body is in the request, it's really a 400.

[danielcompton]

I think this issue can be closed now?

[cddr]

When the strategy above is employed, and a test uses a call to response-for that provides a body, the test-author gets a confusing error response about no body being provided even though they have actually provided a body. I think this is because response-for doesn't set the "content-length" header in the synthetic request it generates.