Skip to content

feat: Fail fast at boot when handlers and spec disagree#88

Merged
thced merged 1 commit into
masterfrom
feat/fail-fast-missing-handlers
May 21, 2026
Merged

feat: Fail fast at boot when handlers and spec disagree#88
thced merged 1 commit into
masterfrom
feat/fail-fast-missing-handlers

Conversation

@thced

@thced thced commented May 21, 2026

Copy link
Copy Markdown
Contributor

The default exception handler routed MissingOperationHandlerException to a bare 500 at request time, so an OpenAPI operation declared in the spec but missing from the handler map only surfaced when a client hit it. ZAP picked this up against the example launcher and flagged seven Server Error / Application Error Disclosure findings.

Validate handler/spec wiring at OpenApiServer.Builder.build() and throw IllegalStateException with the offending operationIds when:

  • a spec operationId has no registered handler, or
  • a handler is registered for an operationId not in the spec.

Once the boot check is in place the dispatch-time null check, the MissingOperationHandlerException class, and its unit test are unreachable, so they are deleted.

The example ServerLauncher now registers stub handlers for every operation in src/test/resources/openapi.json so the demo (and the ZAP scan) covers the full surface. ServerBaseTest grows a stubAllHandlers helper so the existing tests can keep registering the subset they care about and pick up stubs for the rest.

Re-running ZAP against the updated launcher: no Server Error / no Application Error Disclosure findings; only header hardening warnings remain.

The default exception handler routed MissingOperationHandlerException
to a bare 500 at request time, so an OpenAPI operation declared in
the spec but missing from the handler map only surfaced when a client
hit it. ZAP picked this up against the example launcher and flagged
seven Server Error / Application Error Disclosure findings.

Validate handler/spec wiring at OpenApiServer.Builder.build() and
throw IllegalStateException with the offending operationIds when:
- a spec operationId has no registered handler, or
- a handler is registered for an operationId not in the spec.

Once the boot check is in place the dispatch-time null check, the
MissingOperationHandlerException class, and its unit test are
unreachable, so they are deleted.

The example ServerLauncher now registers stub handlers for every
operation in src/test/resources/openapi.json so the demo (and the
ZAP scan) covers the full surface. ServerBaseTest grows a
stubAllHandlers helper so the existing tests can keep registering
the subset they care about and pick up stubs for the rest.

Re-running ZAP against the updated launcher: no Server Error / no
Application Error Disclosure findings; only header hardening
warnings remain.
@thced thced merged commit 5acb4af into master May 21, 2026
4 checks passed
@thced thced deleted the feat/fail-fast-missing-handlers branch May 21, 2026 07:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant