Swagger-ui: GET request do not allow a body

Created on 5 Jun 2019 · 8Comments · Source: swagger-api/swagger-ui

Q&A (please complete the following information)

OS: linux
Browser: firefox
Version: 67
Method of installation: composer
Swagger-UI version: 3.20.7
Swagger/OpenAPI version: OpenAPI 3.0

Content & configuration

Example Swagger/OpenAPI definition:

openapi: "3.0.0"
servers:
  - url: https://myproject.development
paths:
  /search-by-email:
    get:
      requestBody:
        description: get info by email address
        required: true
        content:
          application/json:
            schema:
              type: object   
              properties:
                email:
                  type: string
                  example: [email protected]

Describe the bug you're encountering

As far as i understand the http specs, sending a body is also valid in a GET call.
Cause E-Mail Addresses are privacy relevant, we don't like to have it in the URL (as path part or query parameter).

This endpoint does not modify anything, so POST is not a correct method to do so.

Source

dominikzogg

Most helpful comment

Has there been any follow up on this? OpenAPI did end up allowing a request body on GET requests. Should this be re-opened?

tseale07 on 24 Jul 2020

👍5

All 8 comments

https://tools.ietf.org/html/rfc7231#section-4.3.1 :

A payload within a GET request message has no defined semantics;
sending a payload body on a GET request might cause some existing
implementations to reject the request.

pavlus on 24 Jun 2019

🎉1

@pavlus as far as i understand this, this mean that a server does not need to implement this, not that the spec forbits it. So if the backend application is been able to do it, its ok todo so.

dominikzogg on 24 Jun 2019

👍1

@dominikzogg, we've had a _lot_ of discussion around this.

in Swagger UI: #4425, #2867, #2136
in Swagger Editor: swagger-api/swagger-editor#1929
in the OpenAPI Specification: https://github.com/OAI/OpenAPI-Specification/issues/1801, https://github.com/OAI/OpenAPI-Specification/issues/1747

most of all, you should pay attention to what happens in https://github.com/OAI/OpenAPI-Specification/pull/1937, as it's looking like OpenAPI 3.0.3 could support your use case.

for now, Swagger UI doesn't support this, because we're waiting on OpenAPI to make a final decision and release a new version of the specification. the tickets I've linked to contain, probably, more info than you care to know about why we do things that way 😄

closing for now -- let me know if you have any lingering questions!

shockey on 24 Jun 2019

@shockey thanks for the additional information, issue at this level is solved so far

dominikzogg on 24 Jun 2019

👍1

Apparently, If swagger sticks to the OpenAPI standard, we should avoid using swagger with Spring MVC, since Spring MVC allows GET request with a body.
If Swagger does not allow this, we have to seek alternatives, either Swagger or Spring MVC. Given we already have so many applications running in production, it's unlikely we replace the application framework, we have to replace Swagger.