diff --git a/go.mod b/go.mod index 7eeaecc..79f1d51 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.25.0 require ( github.com/go-openapi/errors v0.22.7 - github.com/go-openapi/runtime v0.31.0 + github.com/go-openapi/runtime v0.32.1 github.com/go-openapi/strfmt v0.26.2 github.com/go-openapi/swag v0.26.0 github.com/go-openapi/validate v0.25.2 diff --git a/go.sum b/go.sum index 5f8cef2..423b837 100644 --- a/go.sum +++ b/go.sum @@ -17,8 +17,8 @@ github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw= github.com/go-openapi/loads v0.23.3 h1:g5Xap1JfwKkUnZdn+S0L3SzBDpcTIYzZ5Qaag0YDkKQ= github.com/go-openapi/loads v0.23.3/go.mod h1:NOH07zLajXo8y55hom0omlHWDVVvCwBM/S+csCK8LqA= -github.com/go-openapi/runtime v0.31.0 h1:vhmlo1LMjGXYTlYB0eFm0tTVuAidDHtmrL1nAABzUCg= -github.com/go-openapi/runtime v0.31.0/go.mod h1:fZnoje1YWt7IrH/fHBOS1h9+VzeS1d0cHj8TTkZOaRc= +github.com/go-openapi/runtime v0.32.1 h1:seZ/Mae6GIonXYo+Y7JrQlFDCtKdGwXFx4Q49iVg698= +github.com/go-openapi/runtime v0.32.1/go.mod h1:IfM3cpgencPuwBp5Uo16i2IQaE74odL7Q4DCGovIQac= github.com/go-openapi/runtime/server-middleware v0.30.0 h1:8rPoJ/xv7JL8BsovaqboKETlpWBArVh8n+0L/GyePog= github.com/go-openapi/runtime/server-middleware v0.30.0/go.mod h1:OYNT/TxNvB/VK5oe4htM2jDTwlEXuejVJmu0DVZfAMs= github.com/go-openapi/spec v0.22.4 h1:4pxGjipMKu0FzFiu/DPwN3CTBRlVM2yLf/YTWorYfDQ= @@ -51,10 +51,10 @@ github.com/go-openapi/swag/typeutils v0.26.0 h1:2kdEwdiNWy+JJdOvu5MA2IIg2SylWAFu github.com/go-openapi/swag/typeutils v0.26.0/go.mod h1:oovDuIUvTrEHVMqWilQzKzV4YlSKgyZmFh7AlfABNVE= github.com/go-openapi/swag/yamlutils v0.26.0 h1:H7O8l/8NJJQ/oiReEN+oMpnGMyt8G0hl460nRZxhLMQ= github.com/go-openapi/swag/yamlutils v0.26.0/go.mod h1:1evKEGAtP37Pkwcc7EWMF0hedX0/x3Rkvei2wtG/TbU= -github.com/go-openapi/testify/enable/yaml/v2 v2.5.0 h1:3hZD1fwydvCx/cc1R2uYNQirHqf2s6lqpKV3FcNTURA= -github.com/go-openapi/testify/enable/yaml/v2 v2.5.0/go.mod h1:TvDZKBH7ZbMaF3EqH2AwTvNQCmzyZq8K1agRjf1B+Nk= -github.com/go-openapi/testify/v2 v2.5.0 h1:UOCr63aAsMIDydZbZGqo5Ev01D4eydItRbekDuZMJLw= -github.com/go-openapi/testify/v2 v2.5.0/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw= +github.com/go-openapi/testify/enable/yaml/v2 v2.5.1 h1:q9NtHwK4qHF7yZziBPvZyv7zWAIk8ok88Gh2mR6Jpc8= +github.com/go-openapi/testify/enable/yaml/v2 v2.5.1/go.mod h1:JW0MXIotCYps/XsgJnG3a8Q7rE5xAiBwoOD5OfaIQBk= +github.com/go-openapi/testify/v2 v2.5.1 h1:TMdhCaw8fUNraVSf3Omoob1dO/AzBfhtFAPW0an6sBo= +github.com/go-openapi/testify/v2 v2.5.1/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw= github.com/go-openapi/validate v0.25.2 h1:12NsfLAwGegqbGWr2CnvT65X/Q2USJipmJ9b7xDJZz0= github.com/go-openapi/validate v0.25.2/go.mod h1:Pgl1LpPPGFnZ+ys4/hTlDiRYQdI1ocKypgE+8Q8BLfY= github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro= diff --git a/vendor/github.com/go-openapi/runtime/.codecov.yml b/vendor/github.com/go-openapi/runtime/.codecov.yml new file mode 100644 index 0000000..a5ba8e9 --- /dev/null +++ b/vendor/github.com/go-openapi/runtime/.codecov.yml @@ -0,0 +1,9 @@ +codecov: + notify: + after_n_builds: 2 + +coverage: + status: + patch: + default: + target: 80% diff --git a/vendor/github.com/go-openapi/runtime/CONTRIBUTORS.md b/vendor/github.com/go-openapi/runtime/CONTRIBUTORS.md index 443d104..ad4c2d2 100644 --- a/vendor/github.com/go-openapi/runtime/CONTRIBUTORS.md +++ b/vendor/github.com/go-openapi/runtime/CONTRIBUTORS.md @@ -4,12 +4,12 @@ | Total Contributors | Total Contributions | | --- | --- | -| 71 | 542 | +| 71 | 557 | | Username | All Time Contribution Count | All Commits | | --- | --- | --- | | @casualjim | 268 | | -| @fredbi | 117 | | +| @fredbi | 132 | | | @youyuanwu | 19 | | | @josephwoodward | 13 | | | @kenjones-cisco | 12 | | diff --git a/vendor/github.com/go-openapi/runtime/client/opentelemetry.go b/vendor/github.com/go-openapi/runtime/client/opentelemetry.go index d11f791..e422f83 100644 --- a/vendor/github.com/go-openapi/runtime/client/opentelemetry.go +++ b/vendor/github.com/go-openapi/runtime/client/opentelemetry.go @@ -4,6 +4,7 @@ package client import ( + "context" "fmt" "net/http" "strings" @@ -26,9 +27,14 @@ const ( // WithOpenTelemetry adds opentelemetry support to the provided runtime. // A new client span is created for each request. -// If the context of the client operation does not contain an active span, no span is created. // The provided opts are applied to each spans - for example to add global tags. -func (r *Runtime) WithOpenTelemetry(opts ...OpenTelemetryOpt) runtime.ClientTransport { +// +// The returned transport satisfies [runtime.ContextualTransport]: callers +// should prefer [openTelemetryTransport.SubmitContext] over the +// legacy [runtime.ClientOperation.Context] field. Setting that +// field is still honored on the [openTelemetryTransport.Submit] +// compatibility path. +func (r *Runtime) WithOpenTelemetry(opts ...OpenTelemetryOpt) runtime.ContextualTransport { return newOpenTelemetryTransport(r, r.Host, opts) } @@ -52,7 +58,7 @@ func (r *Runtime) WithOpenTelemetry(opts ...OpenTelemetryOpt) runtime.ClientTran // usual opentracing options and opentracing-enabled transport. // // Passed options are ignored unless they are of type [OpenTelemetryOpt]. -func (r *Runtime) WithOpenTracing(opts ...any) runtime.ClientTransport { +func (r *Runtime) WithOpenTracing(opts ...any) runtime.ContextualTransport { otelOpts := make([]OpenTelemetryOpt, 0, len(opts)) for _, o := range opts { otelOpt, ok := o.(OpenTelemetryOpt) @@ -155,11 +161,31 @@ func newOpenTelemetryTransport(transport runtime.ClientTransport, host string, o return tr } +// Submit implements [runtime.ClientTransport]. It honors the legacy +// [runtime.ClientOperation.Context] field for backward compatibility +// — that field is being phased out; new code should call +// [openTelemetryTransport.SubmitContext] directly with an explicit +// context. func (t *openTelemetryTransport) Submit(op *runtime.ClientOperation) (any, error) { - if op.Context == nil { - return t.transport.Submit(op) + ctx := op.Context + if ctx == nil { + ctx = context.Background() } + return t.SubmitContext(ctx, op) +} +// SubmitContext submits an operation with an explicit context that +// drives both the tracing span and (when supported) the wrapped +// transport's SubmitContext call. The legacy +// [runtime.ClientOperation.Context] field is not consulted. +// +// When the wrapped transport implements [runtime.ContextualTransport], ctx is +// forwarded directly via its SubmitContext. Otherwise, the legacy +// Submit path is used: ctx is stamped onto op.Context for the +// duration of that call and restored afterwards, so the wrapped +// transport still receives a usable context. The legacy fallback +// disappears once SubmitContext is universal (v2). +func (t *openTelemetryTransport) SubmitContext(ctx context.Context, op *runtime.ClientOperation) (any, error) { params := op.Params reader := op.Reader @@ -171,7 +197,7 @@ func (t *openTelemetryTransport) Submit(op *runtime.ClientOperation) (any, error }() op.Params = runtime.ClientRequestWriterFunc(func(req runtime.ClientRequest, reg strfmt.Registry) error { - span = t.newOpenTelemetrySpan(op, req.GetHeaderParams()) + span = t.newOpenTelemetrySpan(ctx, op, req.GetHeaderParams()) return params.WriteToRequest(req, reg) }) @@ -191,7 +217,7 @@ func (t *openTelemetryTransport) Submit(op *runtime.ClientOperation) (any, error return reader.ReadResponse(response, consumer) }) - submit, err := t.transport.Submit(op) + submit, err := t.submitWrapped(ctx, op) if err != nil && span != nil { span.RecordError(err) span.SetStatus(codes.Error, err.Error()) @@ -200,9 +226,18 @@ func (t *openTelemetryTransport) Submit(op *runtime.ClientOperation) (any, error return submit, err } -func (t *openTelemetryTransport) newOpenTelemetrySpan(op *runtime.ClientOperation, header http.Header) trace.Span { - ctx := op.Context +//nolint:contextcheck // ctx is forwarded verbatim; the legacy Submit branch only stamps it onto op.Context for the wrapped transport. +func (t *openTelemetryTransport) submitWrapped(ctx context.Context, op *runtime.ClientOperation) (any, error) { + if sc, ok := t.transport.(runtime.ContextualTransport); ok { + return sc.SubmitContext(ctx, op) + } + prev := op.Context + op.Context = ctx + defer func() { op.Context = prev }() + return t.transport.Submit(op) +} +func (t *openTelemetryTransport) newOpenTelemetrySpan(ctx context.Context, op *runtime.ClientOperation, header http.Header) trace.Span { tracer := t.tracer if tracer == nil { if span := trace.SpanFromContext(ctx); span.SpanContext().IsValid() { diff --git a/vendor/github.com/go-openapi/runtime/client/runtime.go b/vendor/github.com/go-openapi/runtime/client/runtime.go index efbe8e4..604fb0e 100644 --- a/vendor/github.com/go-openapi/runtime/client/runtime.go +++ b/vendor/github.com/go-openapi/runtime/client/runtime.go @@ -44,7 +44,8 @@ type Runtime struct { Host string BasePath string Formats strfmt.Registry - Context context.Context //nolint:containedctx // we precisely want this type to contain the request context + // Deprecated: prefer [runtime.ContextualTransport.SubmitContext] to pass the request context explicitly. + Context context.Context //nolint:containedctx // we precisely want this type to contain the request context Debug bool @@ -85,6 +86,8 @@ type Runtime struct { response ClientResponseFunc } +var _ runtime.ContextualTransport = &Runtime{} + // New creates a new default runtime for a swagger api runtime.Client. func New(host, basePath string, schemes []string) *Runtime { var rt Runtime @@ -293,7 +296,7 @@ func (r *Runtime) SetResponseReader(f ClientResponseFunc) { func (r *Runtime) ensureContext(operation *runtime.ClientOperation) context.Context { switch { - case operation.Context != nil: + case operation.Context != nil: //nolint:staticcheck // kept for backward compatibility return operation.Context case r.Context != nil: return r.Context diff --git a/vendor/github.com/go-openapi/runtime/client_operation.go b/vendor/github.com/go-openapi/runtime/client_operation.go index ad7277e..61f6ead 100644 --- a/vendor/github.com/go-openapi/runtime/client_operation.go +++ b/vendor/github.com/go-openapi/runtime/client_operation.go @@ -19,12 +19,30 @@ type ClientOperation struct { AuthInfo ClientAuthInfoWriter Params ClientRequestWriter Reader ClientResponseReader - Context context.Context //nolint:containedctx // we precisely want this type to contain the request context - Client *http.Client + // Deprecated: prefer [ContextualTransport.SubmitContext] to pass the request context explicitly. + Context context.Context //nolint:containedctx // we precisely want this type to contain the request context + Client *http.Client } // A ClientTransport implementor knows how to submit Request objects to some destination. type ClientTransport interface { - // Submit(string, RequestWriter, ResponseReader, AuthInfoWriter) (interface{}, error) + // Submit the operation and return the deserialized response or an error. Submit(*ClientOperation) (any, error) } + +// ContextualTransport extends [ClientTransport] with an explicit +// context-aware submission method. +// +// Wrappers such as the OpenTelemetry transport type-assert to this +// interface so they can forward an explicit context to the underlying +// transport without setting the cached [ClientOperation.Context] field. +// +// In v2, SubmitContext will be folded into [ClientTransport] itself +// and the cached [ClientOperation.Context] field removed; this interface +// is the v0.x bridge. +type ContextualTransport interface { + ClientTransport + + // SubmitContext submits the operation using ctx as the request context. + SubmitContext(ctx context.Context, operation *ClientOperation) (any, error) +} diff --git a/vendor/github.com/go-openapi/runtime/form.go b/vendor/github.com/go-openapi/runtime/form.go index 2293920..b4b36f1 100644 --- a/vendor/github.com/go-openapi/runtime/form.go +++ b/vendor/github.com/go-openapi/runtime/form.go @@ -8,6 +8,7 @@ import ( "fmt" "mime/multipart" "net/http" + "strings" "github.com/go-openapi/errors" ) @@ -281,8 +282,55 @@ func countFileParts(r *http.Request) int { return n } +// FormFile resolves a file field from a parsed form body, transparently +// handling both content types accepted for `type: file` parameters by +// the OpenAPI 2.0 spec: +// +// - multipart/form-data — delegates to [http.Request.FormFile]. +// - application/x-www-form-urlencoded — looks up the field in +// r.PostForm and synthesizes a [multipart.File] backed by the +// value bytes plus a [multipart.FileHeader] with Filename equal +// to the field name and Size set to the byte length. +// +// Returns [http.ErrMissingFile] when the field is absent under either +// content type. Callers must have parsed the body upstream (e.g. via +// [BindForm] or [http.Request.ParseForm]) before reading from the +// urlencoded path — [http.Request.FormFile] takes care of parsing on +// the multipart path. +// +// Presence is the only criterion for binding a urlencoded file: an +// empty value (e.g. `file=`) is bound as a zero-byte file. +func FormFile(r *http.Request, name string) (multipart.File, *multipart.FileHeader, error) { + file, header, err := r.FormFile(name) + if err == nil { + return file, header, nil + } + if !stderrors.Is(err, http.ErrNotMultipart) { + return nil, nil, err + } + + values, present := r.PostForm[name] + if !present { + return nil, nil, http.ErrMissingFile + } + value := values[0] + return urlencodedFile{Reader: strings.NewReader(value)}, + &multipart.FileHeader{Filename: name, Size: int64(len(value))}, + nil +} + +// urlencodedFile adapts a urlencoded form value (already buffered in +// memory by [http.Request.ParseForm]) to the [multipart.File] +// interface. The embedded [strings.Reader] supplies Read/ReadAt/Seek; +// Close is a no-op since there is no resource to release. +type urlencodedFile struct { + *strings.Reader +} + +func (urlencodedFile) Close() error { return nil } + func bindFormFile(r *http.Request, spec formFileSpec, maxFilenameLen int) error { - file, header, err := r.FormFile(spec.name) + file, header, err := FormFile(r, spec.name) if err != nil { if stderrors.Is(err, http.ErrMissingFile) { if spec.required { diff --git a/vendor/github.com/go-openapi/runtime/middleware/context.go b/vendor/github.com/go-openapi/runtime/middleware/context.go index 0942ede..8291f63 100644 --- a/vendor/github.com/go-openapi/runtime/middleware/context.go +++ b/vendor/github.com/go-openapi/runtime/middleware/context.go @@ -481,46 +481,6 @@ func (c *Context) ResetAuth(request *http.Request) *http.Request { return request.WithContext(rctx) } -// Authorize authorizes the request. -// -// Returns the principal object and a shallow copy of the request when its -// context doesn't contain the principal, otherwise the same request or an error -// (the last) if one of the authenticators returns one or an Unauthenticated error. -func (c *Context) Authorize(request *http.Request, route *MatchedRoute) (any, *http.Request, error) { - if route == nil || !route.HasAuth() { - return nil, nil, nil - } - - var rCtx = request.Context() - if v := rCtx.Value(ctxSecurityPrincipal); v != nil { - return v, request, nil - } - - applies, usr, err := route.Authenticators.Authenticate(request, route) - if !applies || err != nil || !route.Authenticators.AllowsAnonymous() && typeutils.IsZero(usr) { - if err != nil { - return nil, nil, err - } - return nil, nil, errors.Unauthenticated("invalid credentials") - } - if route.Authorizer != nil { - if err := route.Authorizer.Authorize(request, usr); err != nil { - var apiError errors.Error - if stderrors.As(err, &apiError) { - return nil, nil, err - } - - return nil, nil, errors.New(http.StatusForbidden, "%v", err) - } - } - - rCtx = request.Context() - - rCtx = stdContext.WithValue(rCtx, ctxSecurityPrincipal, usr) - rCtx = stdContext.WithValue(rCtx, ctxSecurityScopes, route.Authenticator.AllScopes()) - return usr, request.WithContext(rCtx), nil -} - // BindAndValidate binds and validates the request // Returns the validation map and a shallow copy of the request when its context // doesn't contain the validation, otherwise it returns the same request or an @@ -667,6 +627,49 @@ func (c *Context) RoutesHandler(builder Builder) http.Handler { return NewRouter(c, b(NewOperationExecutor(c))) } +// authorizeImpl is the real authentication+authorization body shared +// between the production and dev-only variants of [Context.Authorize]. +// See context_skipauth_disabled.go (default build) and +// context_skipauth_enabled.go (the `openapi_unsafe_skipauth` build tag). +// +// The doc on the exported Authorize describes the user-facing +// contract; this function MUST NOT change semantics for the +// production path. +func (c *Context) authorizeImpl(request *http.Request, route *MatchedRoute) (any, *http.Request, error) { + if route == nil || !route.HasAuth() { + return nil, nil, nil + } + + var rCtx = request.Context() + if v := rCtx.Value(ctxSecurityPrincipal); v != nil { + return v, request, nil + } + + applies, usr, err := route.Authenticators.Authenticate(request, route) + if !applies || err != nil || !route.Authenticators.AllowsAnonymous() && typeutils.IsZero(usr) { + if err != nil { + return nil, nil, err + } + return nil, nil, errors.Unauthenticated("invalid credentials") + } + if route.Authorizer != nil { + if err := route.Authorizer.Authorize(request, usr); err != nil { + var apiError errors.Error + if stderrors.As(err, &apiError) { + return nil, nil, err + } + + return nil, nil, errors.New(http.StatusForbidden, "%v", err) + } + } + + rCtx = request.Context() + + rCtx = stdContext.WithValue(rCtx, ctxSecurityPrincipal, usr) + rCtx = stdContext.WithValue(rCtx, ctxSecurityScopes, route.Authenticator.AllScopes()) + return usr, request.WithContext(rCtx), nil +} + func (c *Context) bindRequestBody(request *http.Request, route *MatchedRoute) (string, runtime.Consumer, error) { ct, _, err := runtime.ContentType(request.Header) if err != nil { diff --git a/vendor/github.com/go-openapi/runtime/middleware/context_skipauth_disabled.go b/vendor/github.com/go-openapi/runtime/middleware/context_skipauth_disabled.go new file mode 100644 index 0000000..c8cd01a --- /dev/null +++ b/vendor/github.com/go-openapi/runtime/middleware/context_skipauth_disabled.go @@ -0,0 +1,24 @@ +// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers +// SPDX-License-Identifier: Apache-2.0 + +//go:build !openapi_unsafe_skipauth + +package middleware + +import "net/http" + +// Authorize authorizes the request. +// +// Returns the principal object and a shallow copy of the request when its +// context doesn't contain the principal, otherwise the same request or an error +// (the last) if one of the authenticators returns one or an Unauthenticated error. +// +// This is the production variant — compiled when the build tag +// `openapi_unsafe_skipauth` is NOT set. There is no skip-auth check +// in this codepath; the field, setter, and storage for the bypass +// flag are entirely absent from the binary. See the alternate +// implementation in context_skipauth_enabled.go for the dev-only +// bypass mechanism. +func (c *Context) Authorize(request *http.Request, route *MatchedRoute) (any, *http.Request, error) { + return c.authorizeImpl(request, route) +} diff --git a/vendor/github.com/go-openapi/runtime/middleware/context_skipauth_enabled.go b/vendor/github.com/go-openapi/runtime/middleware/context_skipauth_enabled.go new file mode 100644 index 0000000..2ac8706 --- /dev/null +++ b/vendor/github.com/go-openapi/runtime/middleware/context_skipauth_enabled.go @@ -0,0 +1,61 @@ +// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers +// SPDX-License-Identifier: Apache-2.0 + +//go:build openapi_unsafe_skipauth + +package middleware + +import ( + "log" + "net/http" + "sync/atomic" +) + +// skipAuthEnabled holds the process-wide skip-auth flag. It only +// exists in binaries built with the `openapi_unsafe_skipauth` tag — +// production binaries (built without the tag) have no field, no +// setter, no storage, and no skip-checking branch in [Context.Authorize]. +// Reflection, unsafe-pointer arithmetic, or a debugger cannot flip +// what is not in the binary. +var skipAuthEnabled atomic.Bool + +// SetSkipAuth toggles a PROCESS-WIDE bypass of authentication AND +// authorization for every operation served by every Context in the +// running program. +// +// DANGER: this disables ALL authentication and ALL authorization. +// Every request to every secured endpoint runs as if it had been +// authorized with a nil principal. Use ONLY on developer +// workstations during early prototyping (e.g. while +// authentication is not yet wired up). +// +// This function exists only when the build tag +// `openapi_unsafe_skipauth` is set: +// +// go build -tags openapi_unsafe_skipauth ./... +// +// Production CI MUST NOT pass this tag. Calls compile to a symbol +// that does not exist in production binaries. +// +// Calling with true emits a one-line WARNING via the stdlib `log` +// package (stderr by default) so the bypass is visible at startup. +// Calling with false silently disables it. +func SetSkipAuth(skip bool) { + skipAuthEnabled.Store(skip) + if skip { + log.Println("WARNING: go-openapi/runtime: SetSkipAuth(true) — authentication and authorization are bypassed for ALL operations. This MUST NOT run in production.") + } +} + +// Authorize is the dev-build variant of the production +// [Context.Authorize] (see context_skipauth_disabled.go for the +// production path). When [SetSkipAuth] has enabled the bypass, this +// returns a nil principal with the original request and no error — +// handlers downstream receive a nil-value principal. Otherwise it +// delegates to the standard authentication+authorization body. +func (c *Context) Authorize(request *http.Request, route *MatchedRoute) (any, *http.Request, error) { + if skipAuthEnabled.Load() { + return nil, request, nil + } + return c.authorizeImpl(request, route) +} diff --git a/vendor/github.com/go-openapi/runtime/middleware/parameter.go b/vendor/github.com/go-openapi/runtime/middleware/parameter.go index 3c96b21..4ae8e3d 100644 --- a/vendor/github.com/go-openapi/runtime/middleware/parameter.go +++ b/vendor/github.com/go-openapi/runtime/middleware/parameter.go @@ -131,13 +131,19 @@ func (p *untypedParamBinder) bindFormData(request *http.Request, _ RouteParams, } if p.parameter.Type == "file" { - file, header, ffErr := request.FormFile(p.parameter.Name) + // runtime.FormFile handles both multipart/form-data and + // application/x-www-form-urlencoded (OpenAPI 2.0 permits + // either consumes for `type: file`), and surfaces a + // missing field as http.ErrMissingFile under both. + file, header, ffErr := runtime.FormFile(request, p.parameter.Name) if ffErr != nil { - if p.parameter.Required { - return errors.NewParseError(p.Name, p.parameter.In, "", ffErr) + if stderrors.Is(ffErr, http.ErrMissingFile) { + if p.parameter.Required { + return errors.NewParseError(p.Name, p.parameter.In, "", http.ErrMissingFile) + } + return nil } - - return nil + return errors.NewParseError(p.Name, p.parameter.In, "", ffErr) } // Mirror the FileHeader.Filename length cap that BindForm diff --git a/vendor/modules.txt b/vendor/modules.txt index 669a6f0..fa85ea4 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -33,7 +33,7 @@ github.com/go-openapi/jsonreference/internal # github.com/go-openapi/loads v0.23.3 ## explicit; go 1.24.0 github.com/go-openapi/loads -# github.com/go-openapi/runtime v0.31.0 +# github.com/go-openapi/runtime v0.32.1 ## explicit; go 1.25.0 github.com/go-openapi/runtime github.com/go-openapi/runtime/client