Follow-up to #412, which introduced application/x-www-form-urlencoded destructure support in 2026.2.
When using body-style: destructure (the default) for a application/x-www-form-urlencoded requestBody, the processor adds @NotNull to all generated @RequestParam parameters regardless of whether the field is listed in the schema's required array.
Expected: Only parameters listed in required should get @NotNull. Optional fields should get @RequestParam(name = "foo" required = false) with no @NotNull.
Actual: All destructured form parameters get @NotNull, making it impossible to call the endpoint without providing all fields - breaking flows like OAuth2 refresh_token where code, code_verifier, redirect_uri are legitimately absent.
Reproduction:
requestBody:
content:
application/x-www-form-urlencoded:
schema:
type: object
required:
- grant_type
properties:
grant_type:
type: string
code:
type: string # optional — NOT in required
code_verifier:
type: string # optional — NOT in required
Generates:
@RequestParam(name = "grant_type") @NotNull String grantType,
@RequestParam(name = "code") @NotNull String code, // wrong
@RequestParam(name = "code_verifier") @NotNull String codeVerifier // wrong
Expected:
@RequestParam(name = "grant_type") @NotNull String grantType,
@RequestParam(name = "code", required = false) String code,
@RequestParam(name = "code_verifier", required = false) String codeVerifier
Version: openapi-processor-spring:2026.3.1
Follow-up to #412, which introduced
application/x-www-form-urlencodeddestructure support in 2026.2.When using body-style: destructure (the default) for a
application/x-www-form-urlencodedrequestBody, the processor adds@NotNullto all generated@RequestParamparameters regardless of whether the field is listed in the schema's required array.Expected: Only parameters listed in required should get
@NotNull. Optional fields should get@RequestParam(name = "foo" required = false)with no@NotNull.Actual: All destructured form parameters get
@NotNull, making it impossible to call the endpoint without providing all fields - breaking flows like OAuth2refresh_tokenwherecode,code_verifier,redirect_uriare legitimately absent.Reproduction:
Generates:
Expected:
Version: openapi-processor-spring:2026.3.1