feat(state): strict query parameters

src/Metadata/ApiResource.php

@@ -963,6 +963,7 @@ public function __construct(
         ?string $policy = null,
         array|string|null $middleware = null,
         array|Parameters|null $parameters = null,
+        protected ?bool $strictQueryParameterValidation = null,
         protected array $extraProperties = [],
     ) {
         parent::__construct(
@@ -1007,6 +1008,7 @@ class: $class,
             rules: $rules,
             policy: $policy,
             middleware: $middleware,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             extraProperties: $extraProperties
         );
 

src/Metadata/Delete.php

@@ -98,6 +98,7 @@ public function __construct(
         mixed $rules = null,
         ?string $policy = null,
         array|string|null $middleware = null,
+        ?bool $strictQueryParameterValidation = null,
         array $extraProperties = [],
     ) {
         parent::__construct(
@@ -178,6 +179,7 @@ class: $class,
             extraProperties: $extraProperties,
             collectDenormalizationErrors: $collectDenormalizationErrors,
             parameters: $parameters,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             stateOptions: $stateOptions,
         );
     }

src/Metadata/Get.php

@@ -98,6 +98,7 @@ public function __construct(
         mixed $rules = null,
         ?string $policy = null,
         array|string|null $middleware = null,
+        ?bool $strictQueryParameterValidation = null,
         array $extraProperties = [],
     ) {
         parent::__construct(
@@ -177,6 +178,7 @@ class: $class,
             rules: $rules,
             policy: $policy,
             middleware: $middleware,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             extraProperties: $extraProperties,
         );
     }

src/Metadata/GetCollection.php

@@ -98,6 +98,7 @@ public function __construct(
         array|string|null $rules = null,
         ?string $policy = null,
         array|string|null $middleware = null,
+        ?bool $strictQueryParameterValidation = null,
         array $extraProperties = [],
         private ?string $itemUriTemplate = null,
     ) {
@@ -178,6 +179,7 @@ class: $class,
             rules: $rules,
             policy: $policy,
             middleware: $middleware,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             stateOptions: $stateOptions,
         );
     }

src/Metadata/HttpOperation.php

@@ -155,6 +155,7 @@ public function __construct(
         protected ?array $exceptionToStatus = null,
         protected ?array $links = null,
         protected ?array $errors = null,
+        protected ?bool $strictQueryParameterValidation = null,
 
         ?string $shortName = null,
         ?string $class = null,
@@ -630,6 +631,17 @@ public function withErrors(array $errors): self
     {
         $self = clone $this;
         $self->errors = $errors;
+    }
+
+    public function getStrictQueryParameterValidation(): ?bool
+    {
+        return $this->strictQueryParameterValidation;
+    }
+
+    public function withStrictQueryParameterValidation(bool $strictQueryParameterValidation): self
+    {
+        $self = clone $this;
+        $self->strictQueryParameterValidation = $strictQueryParameterValidation;
 
         return $self;
     }

src/Metadata/Metadata.php

@@ -81,6 +81,7 @@ public function __construct(
         protected ?string $policy = null,
         protected array|string|null $middleware = null,
         protected ?bool $queryParameterValidationEnabled = null,
+        protected ?bool $strictQueryParameterValidation = null,
         protected array $extraProperties = [],
     ) {
         if (\is_array($parameters) && $parameters) {

src/Metadata/Operation.php

@@ -811,6 +811,7 @@ public function __construct(
         ?string $policy = null,
         array|string|null $middleware = null,
         ?bool $queryParameterValidationEnabled = null,
+        protected ?bool $strictQueryParameterValidation = null,
         protected array $extraProperties = [],
     ) {
         parent::__construct(

src/Metadata/Patch.php

@@ -98,6 +98,7 @@ public function __construct(
         mixed $rules = null,
         ?string $policy = null,
         array|string|null $middleware = null,
+        ?bool $strictQueryParameterValidation = null,
         array $extraProperties = [],
     ) {
         parent::__construct(
@@ -178,6 +179,7 @@ class: $class,
             rules: $rules,
             policy: $policy,
             middleware: $middleware,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             extraProperties: $extraProperties
         );
     }

src/Metadata/Post.php

@@ -100,6 +100,7 @@ public function __construct(
         array|string|null $middleware = null,
         array $extraProperties = [],
         private ?string $itemUriTemplate = null,
+        ?bool $strictQueryParameterValidation = null,
     ) {
         parent::__construct(
             method: 'POST',
@@ -179,6 +180,7 @@ class: $class,
             rules: $rules,
             policy: $policy,
             middleware: $middleware,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             extraProperties: $extraProperties
         );
     }

src/Metadata/Put.php

@@ -99,6 +99,7 @@ public function __construct(
         ?string $policy = null,
         array|string|null $middleware = null,
         array $extraProperties = [],
+        ?bool $strictQueryParameterValidation = null,
         private ?bool $allowCreate = null,
     ) {
         parent::__construct(
@@ -179,6 +180,7 @@ class: $class,
             rules: $rules,
             policy: $policy,
             middleware: $middleware,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             extraProperties: $extraProperties
         );
     }

src/State/Exception/ParameterNotSupportedException.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace ApiPlatform\State\Exception;
+
+use ApiPlatform\Metadata\Exception\ProblemExceptionInterface;
+use ApiPlatform\Metadata\Exception\RuntimeException;
+
+final class ParameterNotSupportedException extends RuntimeException implements ProblemExceptionInterface
+{
+    public function __construct(private readonly string $parameter, string $message = "Parameter not supported", int $code = 0, \Throwable|null $previous = null) {
+        parent::__construct($message, $code, $previous);
+    }
+
+    public function getType(): string
+    {
+        return '/error/400';
+    }
+
+    public function getTitle(): ?string
+    {
+        return $this->message;
+    }
+
+    public function getStatus(): ?int
+    {
+        return 400;
+    }
+
+    public function getDetail(): ?string
+    {
+        return sprintf('Parameter "%s" not supported', $this->parameter);
+    }
+
+    public function getInstance(): ?string
+    {
+        return $this->parameter;
+    }
+}

src/State/Provider/ParameterProvider.php

@@ -13,7 +13,9 @@
 
 namespace ApiPlatform\State\Provider;
 
+use ApiPlatform\Metadata\HttpOperation;
 use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\Exception\ParameterNotSupportedException;
 use ApiPlatform\State\Exception\ProviderNotFoundException;
 use ApiPlatform\State\ParameterNotFound;
 use ApiPlatform\State\ParameterProviderInterface;
@@ -50,6 +52,20 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
         }
 
         $parameters = $operation->getParameters();
+
+        if ($operation instanceof HttpOperation && true === $operation->getStrictQueryParameterValidation()) {
+            $keys = [];
+            foreach($parameters as $parameter) {
+                $keys[] = $parameter->getKey();
+            }
+
+            foreach (array_keys($request->attributes->get('_api_query_parameters')) as $key) {
+                if (!in_array($key, $keys)) {
+                    throw new ParameterNotSupportedException($key);
+                }
+            }
+        }
+
         foreach ($parameters ?? [] as $parameter) {
             $extraProperties = $parameter->getExtraProperties();
             unset($extraProperties['_api_values']);
@@ -103,3 +119,4 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
         return $this->decorated?->provide($operation, $uriVariables, $context);
     }
 }
+