address review: simplify scalar branch + add oneOf and negative regression tests

- Replace the per-branch coerce_value loop with a single coerce_value call
  against the full anyOf/oneOf schema. coerce_value returns the input as-is
  on failed coercion, so picking the first 'non-nil' result was meaningless;
  the downstream jsonschema validator already evaluates every branch.
- Add deepObject + oneOf object/integer regression tests (mirror anyOf).
- Add negative regression: deepObject anyOf with an unmatched scalar value
  must be rejected.

Author: jarvis9443

lib/resty/openapi_validator/params.lua

@@ -256,7 +256,9 @@ local function deserialize_param(raw_value, param, query_args)
     local stype = schema.type
 
     -- deepObject style with anyOf/oneOf: try the object branch via parse_deep_object;
-    -- if no param[...] keys are present, try a scalar branch against the bare param value.
+    -- if no param[...] keys are present, coerce the bare param value against the
+    -- full schema (collect_types handles anyOf/oneOf branches) and let the
+    -- downstream jsonschema validator pick the matching branch.
     if style == "deepObject" and stype ~= "object"
        and (schema.anyOf or schema.oneOf) then
         local branches = schema.anyOf or schema.oneOf
@@ -273,15 +275,7 @@ local function deserialize_param(raw_value, param, query_args)
             if type(scalar_raw) == "table" then
                 scalar_raw = scalar_raw[1]
             end
-            for _, branch in ipairs(branches) do
-                if branch.type and branch.type ~= "object" then
-                    local v = coerce_value(scalar_raw, branch)
-                    if v ~= nil then
-                        return v
-                    end
-                end
-            end
-            return scalar_raw
+            return coerce_value(scalar_raw, schema)
         end
         return nil
     end

t/unit/test_params.lua

@@ -219,4 +219,57 @@ T.describe("params: deepObject anyOf integer branch", function()
     T.ok(not errs or #errs == 0, "no errors")
 end)
 
+-- Same shape as the anyOf cases but using oneOf, to lock in both branches
+-- of the runtime path.
+T.describe("params: deepObject oneOf object branch", function()
+    local route = make_route({
+        { name = "created", ["in"] = "query", required = false,
+          style = "deepObject", explode = true,
+          schema = { oneOf = {
+              { type = "object", properties = {
+                  gt = { type = "integer" }, lte = { type = "integer" },
+              } },
+              { type = "integer" },
+          } } },
+    }, "query")
+
+    local ok, errs = params_mod.validate(route,
+        {}, { ["created[gt]"] = "1700000000" }, {})
+    T.ok(ok, "deepObject oneOf object form accepted")
+    T.ok(not errs or #errs == 0, "no errors")
+end)
+
+T.describe("params: deepObject oneOf integer branch", function()
+    local route = make_route({
+        { name = "created", ["in"] = "query", required = false,
+          style = "deepObject", explode = true,
+          schema = { oneOf = {
+              { type = "object", properties = { gt = { type = "integer" } } },
+              { type = "integer" },
+          } } },
+    }, "query")
+
+    local ok, errs = params_mod.validate(route,
+        {}, { ["created"] = "1700000000" }, {})
+    T.ok(ok, "deepObject oneOf scalar (integer branch) accepted")
+    T.ok(not errs or #errs == 0, "no errors")
+end)
+
+-- Negative: a value that matches none of the anyOf branches must be rejected.
+T.describe("params: deepObject anyOf rejects unmatched scalar", function()
+    local route = make_route({
+        { name = "created", ["in"] = "query", required = false,
+          style = "deepObject", explode = true,
+          schema = { anyOf = {
+              { type = "object", properties = { gt = { type = "integer" } } },
+              { type = "integer" },
+          } } },
+    }, "query")
+
+    local ok, errs = params_mod.validate(route,
+        {}, { ["created"] = "not-a-number" }, {})
+    T.ok(not ok, "non-integer scalar rejected")
+    T.ok(errs and #errs >= 1, "error reported")
+end)
+
 T.done()