fix: return HTTP 405 when request method mismatch

jamietanna · jamietanna · commit f21cdcec7b97 · 2026-02-07T12:08:39.000Z
When a route is correctly matched, but the HTTP method used does not, we
should return an HTTP 405 Method Not Allowed.

However, in our previous implementation, we would always return an HTTP
404 Not Found, which is incorrect.

Instead, we can match on whether we have received an
`ErrMethodNotAllowed` and if so, return the correct HTTP 405.
diff --git a/oapi_validate.go b/oapi_validate.go
@@ -124,6 +124,10 @@ func ValidateRequestFromContext(ctx echo.Context, router routers.Router, options
 
 	// We failed to find a matching route for the request.
 	if err != nil {
+		if errors.Is(err, routers.ErrMethodNotAllowed) {
+			return echo.NewHTTPError(http.StatusMethodNotAllowed)
+		}
+
 		switch e := err.(type) {
 		case *routers.RouteError:
 			// We've got a bad request, the path requested doesn't match
diff --git a/oapi_validate_example_test.go b/oapi_validate_example_test.go
@@ -140,6 +140,20 @@ components:
 	logResponseBody(rr)
 	fmt.Println()
 
+	// ================================================================================
+	fmt.Println("# A request that uses the wrong HTTP method is rejected with HTTP 405 Method Not Allowed")
+	req, err = http.NewRequest(http.MethodDelete, "/resource", bytes.NewReader(data))
+	must(err)
+	req.Header.Set("Content-Type", "application/json")
+
+	rr = httptest.NewRecorder()
+
+	e.ServeHTTP(rr, req)
+
+	fmt.Printf("Received an HTTP %d response. Expected HTTP 405\n", rr.Code)
+	logResponseBody(rr)
+	fmt.Println()
+
 	// ================================================================================
 	fmt.Println("# A request that is well-formed is passed through to the Handler")
 	body = map[string]string{
@@ -184,6 +198,10 @@ components:
 	// Received an HTTP 400 response. Expected HTTP 400
 	// Response body: {"message":"request body has an error: doesn't match schema: property \"invalid\" is unsupported"}
 	//
+	// # A request that uses the wrong HTTP method is rejected with HTTP 405 Method Not Allowed
+	// Received an HTTP 405 response. Expected HTTP 405
+	// Response body: {"message":"Method Not Allowed"}
+	//
 	// # A request that is well-formed is passed through to the Handler
 	// POST /resource was called
 	// Received an HTTP 204 response. Expected HTTP 204
diff --git a/oapi_validate_test.go b/oapi_validate_test.go
@@ -146,6 +146,14 @@ func TestOapiRequestValidator(t *testing.T) {
 		called = false
 	}
 
+	// Send a request with the wrong HTTP method
+	{
+		rec := doPost(t, e, "http://deepmap.ai/multiparamresource", nil)
+		assert.Equal(t, http.StatusMethodNotAllowed, rec.Code)
+		assert.False(t, called, "Handler should not have been called")
+		called = false
+	}
+
 	// Add a handler for the POST message
 	e.POST("/resource", func(c echo.Context) error {
 		called = true
