sq

Jamie Tanna · Jamie Tanna · commit f6d9ee23198e · 2025-04-24T15:20:59.000+01:00
diff --git a/oapi_validate.go b/oapi_validate.go
@@ -46,6 +46,7 @@ type ErrorHandlerOptsMatchedRoute struct {
 // ErrorHandlerOpts contains additional options that are passed to the `ErrorHandlerWithOpts` function in the case of a validation error being returned by the middleware
 type ErrorHandlerOpts struct {
 	// TODO
+	// NOTE that this will be nil if there is no matched route (i.e. it's a **??**)
 	MatchedRoute *ErrorHandlerOptsMatchedRoute
 
 	// Error is the underlying error that triggered this error handler to be executed.
@@ -77,6 +78,7 @@ type Options struct {
 	// MultiErrorHandler is called when there is an openapi3.MultiError (https://pkg.go.dev/github.com/getkin/kin-openapi/openapi3#MultiError) returned by the `openapi3filter`.
 	//
 	// If not provided `defaultMultiErrorHandler` will be used.
+	// NOTE nto called if ErrorHandlerWithOpts
 	MultiErrorHandler MultiErrorHandler
 	// SilenceServersWarning allows silencing a warning for https://github.com/deepmap/oapi-codegen/issues/882 that reports when an OpenAPI spec has `spec.Servers != nil`
 	SilenceServersWarning bool
@@ -171,16 +173,27 @@ func performRequestValidationForErrorHandlerWithOpts(next http.Handler, w http.R
 		return
 	}
 
-	// // TODO
-	// me := openapi3.MultiError{}
-	// if errors.As(err, &me) {
-	// 	fmt.Printf("me: %v\n", me)
-	// 	// errFunc := getMultiErrorHandlerFromOptions(options)
-	// 	// return errFunc(me)
-	// }
-	// // TODO
-
 	switch e := err.(type) {
+	case openapi3.MultiError:
+		errOpts.Error = e
+		errOpts.StatusCode = determineStatusCodeForMultiError(e)
+
+		// for _, err := range e {
+		// 	errs = append(errs, err)
+		// }
+		//
+		// errOpts.Error = errors.Join(errs...)
+		//
+		// fmt.Printf("e: %#v\n", e)
+		// // there's no point returning a MultiError if there's a singleton error
+		// if len(e) == 1 {
+		// 	for _, ee := range e {
+		// 		errOpts.Error = ee
+		// 		fmt.Printf("ee: %#v\n", ee)
+		// 	}
+		//
+		// }
+
 	case *openapi3filter.RequestError:
 		// We've got a bad request
 		errOpts.Error = e
@@ -267,3 +280,35 @@ func getMultiErrorHandlerFromOptions(options *Options) MultiErrorHandler {
 func defaultMultiErrorHandler(me openapi3.MultiError) (int, error) {
 	return http.StatusBadRequest, me
 }
+
+func determineStatusCodeForMultiError(errs openapi3.MultiError) int {
+	numRequestErrors := 0
+	numSecurityRequirementsErrors := 0
+
+	for _, err := range errs {
+		switch err.(type) {
+		case *openapi3filter.RequestError:
+			numRequestErrors++
+		case *openapi3filter.SecurityRequirementsError:
+			numSecurityRequirementsErrors++
+		default:
+			// if we have /any/ unknown error types, we should suggest returning an HTTP 500 Internal Server Error
+			return http.StatusInternalServerError
+		}
+	}
+
+	if numRequestErrors > 0 && numSecurityRequirementsErrors > 0 {
+		return http.StatusInternalServerError
+	}
+
+	if numRequestErrors > 0 {
+		return http.StatusBadRequest
+	}
+
+	if numSecurityRequirementsErrors > 0 {
+		return http.StatusUnauthorized
+	}
+
+	// we shouldn't hit this, but to be safe, return an HTTP 500 Internal Server Error if we don't have any cases above
+	return http.StatusInternalServerError
+}
diff --git a/oapi_validate_example_test.go b/oapi_validate_example_test.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -729,6 +730,8 @@ paths:
 			if childErr := e.Unwrap(); childErr != nil {
 				out += "There was a child error, which was "
 				switch e := childErr.(type) {
+				case openapi3.MultiError:
+					out += "a MultiError" + errors.Join(e).Error()
 				case *openapi3.SchemaError:
 					out += "a SchemaError, which failed to validate on the " + e.SchemaField + " field"
 				default:
@@ -740,6 +743,16 @@ paths:
 
 			http.Error(w, "A bad request was made - but I'm not going to tell you where or how", opts.StatusCode)
 			return
+			// NOTE that when it's a MultiError, there's more work needed here
+		case openapi3.MultiError:
+			for _, eee := range e {
+				fmt.Printf("eee: %v\n", eee)
+			}
+			http.Error(w, fmt.Sprintf("There were %d errors with that request - try again?", len(e)), opts.StatusCode)
+			return
+			// TODO
+			// http.Error(w, "MULTI"+errors.Join(e).Error(), opts.StatusCode)
+			// return
 		}
 
 		http.Error(w, err.Error(), opts.StatusCode)
@@ -803,7 +816,7 @@ paths:
 	// Received an HTTP 400 response. Expected HTTP 400
 	// Response body: A bad request was made - but I'm not going to tell you where or how
 	//
-	// # A request that is malformed is rejected with HTTP 400 Bad Request (with an invalid request body), and is then logged by the ErrorHandlerWithOpts
+	// # A request that is malformed is rejected with HTTP 400 Bad Request (with an invalid request body, with multiple issues), and is then logged by the ErrorHandlerWithOpts
 	// ErrorHandlerWithOpts: A RequestError was returned when attempting to validate the request to POST /resource: request body has an error: doesn't match schema: Error at "/id": minimum string length is 100
 	// Schema:
 	//   {
diff --git a/oapi_validate_test.go b/oapi_validate_test.go
@@ -0,0 +1,65 @@
+package nethttpmiddleware
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/getkin/kin-openapi/openapi3filter"
+)
+
+func Test_determineStatusCodeForMultiError(t *testing.T) {
+	t.Run("returns HTTP 400 Bad Request when only `RequestError`s", func(t *testing.T) {
+		errs := []error{
+			&openapi3filter.RequestError{},
+			&openapi3filter.RequestError{},
+		}
+
+		expected := 400
+		actual := determineStatusCodeForMultiError(errs)
+
+		if expected != actual {
+			t.Errorf("Expected an HTTP %d to be returned, but received %d", expected, actual)
+		}
+	})
+
+	t.Run("returns HTTP 401 Unauthorized when only `SecurityRequirementsError`s", func(t *testing.T) {
+		errs := []error{
+			&openapi3filter.SecurityRequirementsError{},
+			&openapi3filter.SecurityRequirementsError{},
+		}
+
+		expected := 401
+		actual := determineStatusCodeForMultiError(errs)
+
+		if expected != actual {
+			t.Errorf("Expected an HTTP %d to be returned, but received %d", expected, actual)
+		}
+	})
+
+	t.Run("returns HTTP 500 Internal Server Error when mixed error types", func(t *testing.T) {
+		errs := []error{
+			&openapi3filter.RequestError{},
+			&openapi3filter.SecurityRequirementsError{},
+		}
+
+		expected := 500
+		actual := determineStatusCodeForMultiError(errs)
+
+		if expected != actual {
+			t.Errorf("Expected an HTTP %d to be returned, but received %d", expected, actual)
+		}
+	})
+
+	t.Run("returns HTTP 500 Internal Server Error when unknown error type(s) are seen", func(t *testing.T) {
+		errs := []error{
+			fmt.Errorf("this isn't a known error type"),
+		}
+
+		expected := 500
+		actual := determineStatusCodeForMultiError(errs)
+
+		if expected != actual {
+			t.Errorf("Expected an HTTP %d to be returned, but received %d", expected, actual)
+		}
+	})
+}
