openapi: fix request validation for application/x-www-form-urlencoded

[Copilot]

• Add net/url to imports in module/openapi.go
• Add validateFormBody function to validate url.Values against an object schema
• Modify the body validation logic in validate to handle application/x-www-form-urlencoded by parsing form data instead of JSON
• Add kind parameter to validateScalarValue so form body errors say "field" not "parameter"
• Fix validateFormBody to validate present-but-empty form fields (check key presence, not empty string)
• Add TestOpenAPIModule_RequestValidation_FormEncoded test with subtests: valid form body, missing required field, empty body when required, present-but-empty field violates minLength

Original prompt

---

This section details on the original issue you should resolve

<issue_title>openapi: request validation fails for application/x-www-form-urlencoded content type</issue_title>
<issue_description>When validation.request: true is set on the openapi module, request validation for operations with application/x-www-form-urlencoded content type fails with:

{"error":"request validation failed","errors":["request body contains invalid JSON: invalid character 'B' looking for beginning of value"]}

The validator attempts to parse the form-encoded body as JSON, ignoring the Content-Type header and the spec's declared content type.

Reproduce:

1. Define an operation with application/x-www-form-urlencoded request body in the spec
2. Enable validation.request: true on the openapi module
3. Send a form-encoded POST request to the operation's path
4. Observe: validation rejects the request with "invalid JSON" error
5. Expected: validation should parse and validate form-encoded bodies correctly, or skip validation for non-JSON content types

Workaround: Remove requestBody from the spec for form-encoded operations. The pipeline can still parse the body via step.request_parse with parse_body: true.

Spec example:

/webhook:
  post:
    operationId: receiveWebhook
    x-pipeline: handle-webhook
    requestBody:
      required: true
      content:
        application/x-www-form-urlencoded:
          schema:
            type: object
            properties:
              Body:
                type: string
              From:
                type: string
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

• Fixes openapi: request validation fails for application/x-www-form-urlencoded content type #255

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Copilot]

Pull request overview

Fixes OpenAPI request-body validation to respect Content-Type when validation.request: true, adding support for validating application/x-www-form-urlencoded bodies instead of always treating bodies as JSON.

Changes:

• Branch request-body parsing/validation by content type, using url.ParseQuery for application/x-www-form-urlencoded.
• Add validateFormBody to validate form fields against the requestBody schema using existing scalar validation logic.
• Add unit test coverage for form-encoded request validation (valid body, missing required field, empty required body).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
module/openapi.go	Adds content-type aware request-body validation and new validateFormBody helper for form data.
module/openapi_test.go	Adds a focused test for form-encoded request-body validation scenarios.

[Copilot]

In validateFormBody, val == "" causes the code to skip validation entirely for present-but-empty form fields. That means constraints like minLength, pattern, and enum are not enforced on empty strings, and a required string field can be sent as Body= without any schema validation running. Consider validating when the key is present in values (even if the value is empty), and only skipping when the key is absent.

Suggested change

	val := values.Get(field)
	if val == "" {
	continue
	}
	vals, present := values[field]
	if !present {
	continue
	}
	var val string
	if len(vals) > 0 {
	val = vals[0]
	}

[Copilot]

validateFormBody reuses validateScalarValue, but validateScalarValue hardcodes error text as "parameter ..." and uses "parameter" when applying string constraints. For request body form fields this produces misleading messages (they’re fields, not parameters) and is inconsistent with JSON body validation which reports "field" errors. Consider adding a field-specific scalar validator (or parameterize validateScalarValue with a kind) so form-body errors are labeled correctly.

[intel352]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied both fixes in ca2cec3:

1. Present-but-empty field validation: validateFormBody now checks key presence in values (not empty-string), so Body= (empty value) is still validated against constraints like minLength/pattern/enum.

2. Error message labels: Added a kind parameter to validateScalarValue (consistent with how validateStringConstraints already works). Form body validation passes "field", parameter validation passes "parameter" — so errors now correctly read field "Body" must have minLength 1 instead of parameter "Body" ....