GET request do not allow a body

[dominikzogg]

Q&A (please complete the following information)

• OS: linux
• Browser: firefox
• Version: 67
• Method of installation: composer
• Swagger-UI version: 3.20.7
• Swagger/OpenAPI version: OpenAPI 3.0

Content & configuration

Example Swagger/OpenAPI definition:

openapi: "3.0.0"
servers:
  - url: https://myproject.development
paths:
  /search-by-email:
    get:
      requestBody:
        description: get info by email address
        required: true
        content:
          application/json:
            schema:
              type: object   
              properties:
                email:
                  type: string
                  example: [email protected]

Describe the bug you're encountering

As far as i understand the http specs, sending a body is also valid in a GET call.
Cause E-Mail Addresses are privacy relevant, we don't like to have it in the URL (as path part or query parameter).

This endpoint does not modify anything, so POST is not a correct method to do so.

[pavlus]

https://tools.ietf.org/html/rfc7231#section-4.3.1 :

A payload within a GET request message has no defined semantics;
sending a payload body on a GET request might cause some existing
implementations to reject the request.

[dominikzogg]

@pavlus as far as i understand this, this mean that a server does not need to implement this, not that the spec forbits it. So if the backend application is been able to do it, its ok todo so.

[shockey]

@dominikzogg, we've had a lot of discussion around this.

• in Swagger UI: Message "DELETE operations cannot have a requestBody" appears on a previously OK specification. #4425, Request with GET/HEAD method cannot have body #2867, GET method doesn't support body payload #2136
• in Swagger Editor: ERROR: DELETE operations cannot have a requestBody contradicts RFC 7231 Section 4.3.5 swagger-editor#1929
• in the OpenAPI Specification: Allow requestBody for the DELETE method. OAI/OpenAPI-Specification#1801, Support all HTTP Methods OAI/OpenAPI-Specification#1747

most of all, you should pay attention to what happens in OAI/OpenAPI-Specification#1937, as it's looking like OpenAPI 3.0.3 could support your use case.

for now, Swagger UI doesn't support this, because we're waiting on OpenAPI to make a final decision and release a new version of the specification. the tickets I've linked to contain, probably, more info than you care to know about why we do things that way 😄

closing for now -- let me know if you have any lingering questions!

[dominikzogg]

@shockey thanks for the additional information, issue at this level is solved so far

[niulin]

Apparently, If swagger sticks to the OpenAPI standard, we should avoid using swagger with Spring MVC, since Spring MVC allows GET request with a body.
If Swagger does not allow this, we have to seek alternatives, either Swagger or Spring MVC. Given we already have so many applications running in production, it's unlikely we replace the application framework, we have to replace Swagger.

[tseale07]

Has there been any follow up on this? OpenAPI did end up allowing a request body on GET requests. Should this be re-opened?

[miraculixx]

Has there been any follow up on this? OpenAPI did end up allowing a request body on GET requests

Indeed, see OAI/OpenAPI-Specification#2117

IMHO this issue should be reopened to keep in line with the OpenAPI specs.

[mehulchandroliya]

Yes Please reopen

[dimos171]

using .NET swashbuckle.AspNetCore.SwaggerUI 6.2.2 and have the same error.
please reopen

[evgenisokolov]

I'm also voting for reopening this since it's becoming quite common to use get requests with body

[labeled]

+1

[vikumar-ciena]

+1

[okohub]

+1

[diogo-correia-tec]

+1

[christophe-taret-zenika]

+1

[hoylu-royberg]

+1