feat(event-handler): add per-route validation support (#7965)

* feat(event-handler): add enable_validation parameter to Route class and decorators

- Add enable_validation parameter to Route class constructor
- Update all route decorators to accept enable_validation parameter
- Modify _build_middleware_stack to check route-level validation setting
- Route-level setting overrides resolver-level when explicitly set
- Maintains backwards compatibility (None inherits from resolver)

Addresses #6983

* feat(event-handler): add enable_validation support to BedrockAgentResolver

- Update all HTTP method decorators to accept enable_validation parameter
- Pass enable_validation to parent class methods
- Ensures type safety and consistency across all resolvers

Addresses #6983

* feat(event-handler): add per-route validation support to async middleware chain

- Update _run_middleware_chain_async to check route-level validation
- Conditionally add validation middlewares based on effective setting
- Supports async/await pattern with per-route validation control

Addresses #6983

* test(event-handler): add comprehensive tests for per-route validation

- Test explicit route-level enable_validation=True
- Test disabling validation on specific routes when globally enabled
- Test request body and response validation with per-route settings
- Test inheritance behavior and mixed validation scenarios
- Test Pydantic v2 compatibility
- All tests passing with full coverage

Addresses #6983

* docs(event-handler): add per-route validation example

- Demonstrate incremental validation adoption for monolithic Lambda
- Show validated routes inheriting global setting
- Show legacy routes with enable_validation=False
- Practical example for migration scenarios

Addresses #6983

* fix(test): correct type ignore placement for SonarCloud

- Move type: ignore comment to function definition line
- Properly suppress return type mismatch warning in test

* test: revert to standard type ignore pattern for consistency

Use same pattern as other validation tests in codebase

* fix(test): use cast to satisfy SonarCloud type checking

Use typing.cast instead of type: ignore comment to properly handle
intentional type mismatch in validation error test. This satisfies
both mypy and SonarCloud while maintaining test functionality.

---------

Co-authored-by: Andrea Amorosi <dreamorosi@gmail.com>

Author: oyiz-michael

aws_lambda_powertools/event_handler/api_gateway.py

@@ -379,6 +379,7 @@ def __init__(
         security: list[dict[str, list[str]]] | None = None,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: HTTPStatus | None = None,
         middlewares: list[Callable[..., Response]] | None = None,
     ):
@@ -421,6 +422,8 @@ def __init__(
             Additional OpenAPI extensions as a dictionary.
         deprecated: bool
             Whether or not to mark this route as deprecated in the OpenAPI schema
+        enable_validation: bool | None, optional
+            Enable or disable validation for this specific route. If None, inherits from resolver setting.
         custom_response_validation_http_code: int | HTTPStatus | None, optional
             Whether to have custom http status code for this route if response validation fails
         middlewares: list[Callable[..., Response]] | None
@@ -450,6 +453,7 @@ def __init__(
         self.middlewares = middlewares or []
         self.operation_id = operation_id or self._generate_operation_id()
         self.deprecated = deprecated
+        self.enable_validation = enable_validation
 
         # _middleware_stack_built is used to ensure the middleware stack is only built once.
         self._middleware_stack_built = False
@@ -536,15 +540,21 @@ def _build_middleware_stack(self, router_middlewares: list[Callable[..., Any]],
 
         all_middlewares = []
 
+        # Determine if validation should be enabled for this route
+        # If route has explicit enable_validation setting, use it; otherwise, use resolver's global setting
+        route_validation_enabled = (
+            self.enable_validation if self.enable_validation is not None else app._enable_validation
+        )
+
         # Add request validation middleware first if validation is enabled
-        if hasattr(app, "_request_validation_middleware"):
+        if route_validation_enabled and hasattr(app, "_request_validation_middleware"):
             all_middlewares.append(app._request_validation_middleware)
 
         # Add user middlewares in the middle
         all_middlewares.extend(router_middlewares + self.middlewares)
 
         # Add response validation middleware before the route handler if validation is enabled
-        if hasattr(app, "_response_validation_middleware"):
+        if route_validation_enabled and hasattr(app, "_response_validation_middleware"):
             all_middlewares.append(app._response_validation_middleware)
 
         logger.debug(f"Building middleware stack: {all_middlewares}")
@@ -1133,6 +1143,7 @@ def route(
         security: list[dict[str, list[str]]] | None = None,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable[..., Any]] | None = None,
     ) -> Callable[[AnyCallableT], AnyCallableT]:
@@ -1195,6 +1206,7 @@ def get(
         security: list[dict[str, list[str]]] | None = None,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable[..., Any]] | None = None,
     ) -> Callable[[AnyCallableT], AnyCallableT]:
@@ -1236,6 +1248,7 @@ def lambda_handler(event, context):
             security,
             openapi_extensions,
             deprecated,
+            enable_validation,
             custom_response_validation_http_code,
             middlewares,
         )
@@ -1256,6 +1269,7 @@ def post(
         security: list[dict[str, list[str]]] | None = None,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable[..., Any]] | None = None,
     ) -> Callable[[AnyCallableT], AnyCallableT]:
@@ -1298,6 +1312,7 @@ def lambda_handler(event, context):
             security,
             openapi_extensions,
             deprecated,
+            enable_validation,
             custom_response_validation_http_code,
             middlewares,
         )
@@ -1318,6 +1333,7 @@ def put(
         security: list[dict[str, list[str]]] | None = None,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable[..., Any]] | None = None,
     ) -> Callable[[AnyCallableT], AnyCallableT]:
@@ -1360,6 +1376,7 @@ def lambda_handler(event, context):
             security,
             openapi_extensions,
             deprecated,
+            enable_validation,
             custom_response_validation_http_code,
             middlewares,
         )
@@ -1380,6 +1397,7 @@ def delete(
         security: list[dict[str, list[str]]] | None = None,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable[..., Any]] | None = None,
     ) -> Callable[[AnyCallableT], AnyCallableT]:
@@ -1421,6 +1439,7 @@ def lambda_handler(event, context):
             security,
             openapi_extensions,
             deprecated,
+            enable_validation,
             custom_response_validation_http_code,
             middlewares,
         )
@@ -1441,6 +1460,7 @@ def patch(
         security: list[dict[str, list[str]]] | None = None,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable] | None = None,
     ) -> Callable[[AnyCallableT], AnyCallableT]:
@@ -1485,6 +1505,7 @@ def lambda_handler(event, context):
             security,
             openapi_extensions,
             deprecated,
+            enable_validation,
             custom_response_validation_http_code,
             middlewares,
         )
@@ -1505,6 +1526,7 @@ def head(
         security: list[dict[str, list[str]]] | None = None,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable] | None = None,
     ) -> Callable[[AnyCallableT], AnyCallableT]:
@@ -1548,6 +1570,7 @@ def lambda_handler(event, context):
             security,
             openapi_extensions,
             deprecated,
+            enable_validation,
             custom_response_validation_http_code,
             middlewares,
         )
@@ -2569,6 +2592,7 @@ def route(
         security: list[dict[str, list[str]]] | None = None,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable[..., Any]] | None = None,
     ) -> Callable[[AnyCallableT], AnyCallableT]:
@@ -2603,6 +2627,7 @@ def register_resolver(func: AnyCallableT) -> AnyCallableT:
                     security,
                     openapi_extensions,
                     deprecated,
+                    enable_validation,
                     custom_response_validation_http_code,
                     middlewares,
                 )
@@ -3130,6 +3155,7 @@ def route(
         security: list[dict[str, list[str]]] | None = None,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable[..., Any]] | None = None,
     ) -> Callable[[AnyCallableT], AnyCallableT]:
@@ -3157,6 +3183,7 @@ def register_route(func: AnyCallableT) -> AnyCallableT:
                 frozen_security,
                 frozen_openapi_extensions,
                 deprecated,
+                enable_validation,
                 custom_response_validation_http_code,
             )
 
@@ -3246,6 +3273,7 @@ def route(
         security: list[dict[str, list[str]]] | None = None,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable[..., Any]] | None = None,
     ) -> Callable[[AnyCallableT], AnyCallableT]:
@@ -3266,6 +3294,7 @@ def route(
             security,
             openapi_extensions,
             deprecated,
+            enable_validation,
             custom_response_validation_http_code,
             middlewares,
         )

aws_lambda_powertools/event_handler/bedrock_agent.py

@@ -124,6 +124,7 @@ def get(  # type: ignore[override]
         include_in_schema: bool = True,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable[..., Any]] | None = None,
     ) -> Callable[[Callable[..., Any]], Callable[..., Any]]:
@@ -144,6 +145,7 @@ def get(  # type: ignore[override]
             security,
             openapi_extensions,
             deprecated,
+            enable_validation,
             custom_response_validation_http_code,
             middlewares,
         )
@@ -165,6 +167,7 @@ def post(  # type: ignore[override]
         include_in_schema: bool = True,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable[..., Any]] | None = None,
     ):
@@ -185,6 +188,7 @@ def post(  # type: ignore[override]
             security,
             openapi_extensions,
             deprecated,
+            enable_validation,
             custom_response_validation_http_code,
             middlewares,
         )
@@ -206,6 +210,7 @@ def put(  # type: ignore[override]
         include_in_schema: bool = True,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable[..., Any]] | None = None,
     ):
@@ -226,6 +231,7 @@ def put(  # type: ignore[override]
             security,
             openapi_extensions,
             deprecated,
+            enable_validation,
             custom_response_validation_http_code,
             middlewares,
         )
@@ -247,6 +253,7 @@ def patch(  # type: ignore[override]
         include_in_schema: bool = True,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable] | None = None,
     ):
@@ -267,6 +274,7 @@ def patch(  # type: ignore[override]
             security,
             openapi_extensions,
             deprecated,
+            enable_validation,
             custom_response_validation_http_code,
             middlewares,
         )
@@ -288,6 +296,7 @@ def delete(  # type: ignore[override]
         include_in_schema: bool = True,
         openapi_extensions: dict[str, Any] | None = None,
         deprecated: bool = False,
+        enable_validation: bool | None = None,
         custom_response_validation_http_code: int | HTTPStatus | None = None,
         middlewares: list[Callable[..., Any]] | None = None,
     ):
@@ -308,6 +317,7 @@ def delete(  # type: ignore[override]
             security,
             openapi_extensions,
             deprecated,
+            enable_validation,
             custom_response_validation_http_code,
             middlewares,
         )

aws_lambda_powertools/event_handler/http_resolver.py

@@ -290,12 +290,18 @@ async def _run_middleware_chain_async(self, route: Route) -> Response:
         # Build middleware list
         all_middlewares: list[Callable[..., Any]] = []
 
-        if hasattr(self, "_request_validation_middleware"):
+        # Determine if validation should be enabled for this route
+        # If route has explicit enable_validation setting, use it; otherwise, use resolver's global setting
+        route_validation_enabled = (
+            route.enable_validation if route.enable_validation is not None else self._enable_validation
+        )
+
+        if route_validation_enabled and hasattr(self, "_request_validation_middleware"):
             all_middlewares.append(self._request_validation_middleware)
 
         all_middlewares.extend(self._router_middlewares + route.middlewares)
 
-        if hasattr(self, "_response_validation_middleware"):
+        if route_validation_enabled and hasattr(self, "_response_validation_middleware"):
             all_middlewares.append(self._response_validation_middleware)
 
         # Create the final handler that calls the route function