Fix OpenAPI 3 path coercion to respect coerce_path_params independently of query coercion (#467)

This PR fixes OpenAPI 3 request coercion behavior where path parameter coercion was unintentionally coupled to `coerce_query_params`.

`OperationWrapper#coerce_path_parameter` was building its parser options using `coerce_query_params` instead of `coerce_path_params`.

As a result, this configuration behaved incorrectly.

- `coerce_path_params: true`
- `coerce_query_params: false`

Path coercion could be disabled even when explicitly enabled.

Additionally, this PR fixes a related validation gap: path params must still be validated even when `coerce_path_params` is `false`.
`coerce_path_params: false` now means:

- path params are validated
- path params are not coerced

and remains independent from `coerce_query_params`.

Tests were updated to cover both option combinations and to assert query coercion behavior using actual query params.
`bundle exec rake test` passes.

Author: ydah

lib/committee/schema_validator/open_api_3.rb

@@ -55,7 +55,6 @@ def link_exist?
       attr_reader :validator_option
 
       def coerce_path_params
-        return Committee::Utils.indifferent_hash unless validator_option.coerce_path_params
         Committee::RequestUnpacker.indifferent_params(@operation_object.coerce_path_parameter(@validator_option))
       end
 

lib/committee/schema_validator/open_api_3/operation_wrapper.rb

@@ -23,9 +23,10 @@ def http_method
 
         def coerce_path_parameter(validator_option)
           options = build_openapi_parser_path_option(validator_option)
+          validated_path_params = request_operation.validate_path_params(options)
           return {} unless options.coerce_value
 
-          request_operation.validate_path_params(options)
+          validated_path_params
         rescue OpenAPIParser::OpenAPIError => e
           raise Committee::InvalidRequest.new(e.message, original_error: e)
         end
@@ -90,6 +91,11 @@ def build_openapi_parser_body_option(validator_option)
 
         # @return [OpenAPIParser::SchemaValidator::Options]
         def build_openapi_parser_path_option(validator_option)
+          build_openapi_parser_option(validator_option, validator_option.coerce_path_params)
+        end
+
+        # @return [OpenAPIParser::SchemaValidator::Options]
+        def build_openapi_parser_request_parameter_option(validator_option)
           build_openapi_parser_option(validator_option, validator_option.coerce_query_params)
         end
 
@@ -125,6 +131,9 @@ def validate_post_request_params(path_params, query_params, body_params, headers
         end
 
         def validate_path_and_query_params(path_params, query_params, headers, validator_option)
+          path_params ||= {}
+          query_params ||= {}
+
           # it's currently impossible to validate path params and query params separately
           # so we have to resort to this workaround
 
@@ -133,7 +142,7 @@ def validate_path_and_query_params(path_params, query_params, headers, validator
 
           merged_params = query_params.merge(path_params)
 
-          request_operation.validate_request_parameter(merged_params, headers, build_openapi_parser_path_option(validator_option))
+          request_operation.validate_request_parameter(merged_params, headers, build_openapi_parser_request_parameter_option(validator_option))
 
           merged_params.each do |k, v|
             path_params[k] = v if path_keys.include?(k)

test/middleware/request_validation_open_api_3_test.rb

@@ -363,6 +363,26 @@ def app
     get "/coerce_path_params/1"
   end
 
+  it "coerces path params even when query param coercion is disabled" do
+    check_parameter_string = lambda { |env|
+      assert env['committee.path_hash']['integer'].is_a?(Integer)
+      assert env['committee.params']['integer'].is_a?(Integer)
+      [200, {}, []]
+    }
+
+    @app = new_rack_app_with_lambda(check_parameter_string, schema: open_api_3_schema, coerce_path_params: true, coerce_query_params: false)
+    get "/coerce_path_params/1"
+    assert_equal 200, last_response.status
+  end
+
+  it "does not coerce path params when path coercion is disabled even if query coercion is enabled" do
+    @app = new_rack_app(schema: open_api_3_schema, coerce_path_params: false, coerce_query_params: true)
+    get "/coerce_path_params/1"
+
+    assert_equal 400, last_response.status
+    assert_match(/integer/i, last_response.body)
+  end
+
   describe "overwrite same parameter (old rule)" do
     # (high priority) path_hash_key -> request_body_hash -> query_param
     it "set query parameter to committee.params and query hash" do

test/schema_validator/open_api_3/operation_wrapper_test.rb

@@ -171,5 +171,39 @@ def operation_object
         assert_equal [], operation_object.request_content_types
       end
     end
+
+    describe 'coercion option wiring' do
+      before do
+        @path = '/coerce_path_params/1'
+        @method = 'get'
+      end
+
+      it 'uses coerce_path_params for explicit path coercion' do
+        disabled = Committee::SchemaValidator::Option.new({ coerce_path_params: false, coerce_query_params: true }, open_api_3_schema, :open_api_3)
+        enabled = Committee::SchemaValidator::Option.new({ coerce_path_params: true, coerce_query_params: false }, open_api_3_schema, :open_api_3)
+
+        error = assert_raises(Committee::InvalidRequest) do
+          operation_object.coerce_path_parameter(disabled)
+        end
+        assert_match(/expected integer, but received String: "1"/i, error.message)
+
+        coerced = operation_object.coerce_path_parameter(enabled)
+        assert_kind_of(Integer, coerced['integer'])
+      end
+
+      it 'uses coerce_query_params for request parameter validation' do
+        query_coercion_disabled = Committee::SchemaValidator::Option.new({ coerce_query_params: false }, open_api_3_schema, :open_api_3)
+        query_coercion_enabled = Committee::SchemaValidator::Option.new({ coerce_query_params: true }, open_api_3_schema, :open_api_3)
+
+        error = assert_raises(Committee::InvalidRequest) do
+          @path = '/characters'
+          operation_object.validate_request_params({}, { "limit" => "1" }, {}, HEADER, query_coercion_disabled)
+        end
+        assert_match(/expected integer, but received String: "1"/i, error.message)
+
+        @path = '/characters'
+        operation_object.validate_request_params({}, { "limit" => "1" }, {}, HEADER, query_coercion_enabled)
+      end
+    end
   end
 end