Obey request-body-strict in OpenAPI schema generation

[Copilot]

Why make this change?

Closes #2947, Closes #1838

OpenAPI schemas did not reflect the request-body-strict runtime setting. When false, clients can send extra fields (which are ignored), but the generated schema didn't communicate this—potentially misleading API consumers.

What is this change?

Sets additionalProperties on request body schemas based on request-body-strict config:

• true (default): additionalProperties: false — strict field validation
• false: additionalProperties: true — extra fields allowed

Affected schemas:

• {EntityName}, {EntityName}_NoAutoPK, {EntityName}_NoPK
• {EntityName}_sp_request (stored procedures)

Example OpenAPI output when request-body-strict: false:

{
  "components": {
    "schemas": {
      "Book": {
        "type": "object",
        "properties": { ... },
        "additionalProperties": true
      }
    }
  }
}

How was this tested?

• Integration Tests
• Unit Tests

Added RequestBodyStrictTests.cs with tests for both strict/non-strict modes validating AdditionalPropertiesAllowed on generated schemas.

Sample Request(s)

GET /api/openapi

Returns OpenAPI document with additionalProperties: true on request body schemas when config has:

{
  "runtime": {
    "rest": {
      "request-body-strict": false
    }
  }
}

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Enh]: Obey "request-body-strict" in OpenAPI</issue_title>
<issue_description>## What?

Today, our OpenAPI includes object types that are not required by the endpoint. See #1838</issue_description>

<agent_instructions>include resolution for #1838 resolve both in a single pr with as little new code as possible</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@JerryNixon ### The Problem

Current behavior: The OpenAPI document generated by DAB includes schemas for models like EntityName_NoAutoPK (entities without auto-generated primary keys) regardless of the runtime.rest.request-body-strict configuration setting.

Issue #1838 screenshot shows: The OpenAPI document exposes Book_NoAutoPK schema even though it may not be necessary depending on strictness settings.

Understanding request-body-strict

The request-body-strict configuration controls whether DAB allows extraneous fields in REST request bodies:

{
  "runtime": {
    "rest": {
      "enabled": true,
      "path": "/api",
      "request-body-strict": true  // Default: true
    }
  }
}

When true (strict mode - DEFAULT):

• Request body must contain ONLY valid fields for the entity
• Extraneous/extra fields cause a 400 Bad Request error
• Read-only fields cannot be included in request bodies

When false (non-strict mode):

• Extra fields in the request body are ignored (not cause errors)
• Provides more flexibility for clients

How It Works at Runtime

Looking at the request validation code:

/// <summary>
/// Helper method to check if the request body for REST allows extra fields.
/// </summary>
/// <returns>true if extra fields are not allowed in REST request body.</returns>
private bool IsRequestBodyStrict()
{
    if (_runtimeConfigProvider.TryGetConfig(out RuntimeConfig? runtimeConfig))
    {
        return runtimeConfig.IsRequestBodyStrict;
    }

    return true; // Default is strict mode
}

And the validation enforcement:

// There may be unvalidated fields remaining because of extraneous fields in request body
// which are not mapped to the table. We throw an exception only when we operate in strict mode,
// i.e. when extraneous fields are not allowed.
if (unvalidatedFields.Any() && isRequestBodyStrict)
{
    throw new DataApiBuilderException(
        message: "Invalid request body. Either insufficient or extra fields supplied.",
        statusCode: HttpStatusCode.BadRequest,
        subStatusCode: DataApiBuilderException.SubStatusCodes.BadRequest);
}

The Enhancement Request

What DAB currently does in OpenAPI generation:

• Creates multiple schema models for each entity regardless of request-body-strict:
  • EntityName - Full schema with all fields
  • EntityName_NoAutoPK - Schema excluding auto-generated PKs (for POST)
  • EntityName_NoPK - Schema excluding all PKs (for PUT/PATCH)

What the enhancement wants:

• If request-body-strict: true: Include all schema variations (current behavior)
• If request-body-strict: false: Potentially simplify the OpenAPI schema since extra fields are allowed anyway

The current OpenAPI generator doesn't check this setting:

private static OpenApiRequestBody CreateOpenApiRequestBodyPayload(string schemaReferenceId, bool requestBodyRequired)
{
    OpenApiRequestBody requestBody = new()
    {
        Content = new Dictionary<string, OpenApiMediaType>()
        {
            {
                MediaTypeNames.Application.Json,
                new()
                {
                    Schema = new OpenApiSchema()
                    {
                        Reference = new OpenApiReference()
                        {
                            Type = ReferenceType.Schema,
                            Id = schemaReferenceId  // ← Always includes _NoAutoPK, _NoPK variants
                        }
                    }
                }
            }
        },
        Required = requestBodyRequired
    };

    return requestBody;
}

---

Current Impact

When request-body-strict: true (Default)

OpenAPI shows:

• Book - Full schema
• Book_NoAutoPK - For POST r...

• Fixes [Enh]: Obey "request-body-strict" in OpenAPI #2947

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.