Reducing security schema duplicates in OpenAPI parser

[dracomithril]

When security schemas are provided with duplicates we end up with array with repeated security expectations
example:

{
  "security": [
      {
          "security1": [],
          "security2": []
      },
      {
          "security1": [],
          "security3": []
      },
      {
          "security1": [],
          "security4": []
      },
      {
          "security5": [],
          "security2": []
      },
      {
          "security5": [],
          "security3": []
      },
      {
          "security5": [],
          "security4": []
      }
  ]
}

we end up with array where expected values are repeated

[
      {
        name: "X-TENANT",
        type: "apiKey",
      },
      {
        scheme: "bearer",
        type: "http",
      },
      {
        name: "X-TENANT",
        type: "apiKey",
      },
      {
        name: "X-SERVICE-AUTHENTICATION",
        type: "apiKey",
      },
      {
        in: "query",
        name: "tenant_code",
        type: "apiKey",
      },
      {
        in: "query",
        name: "tenant_code",
        type: "apiKey",
      },
      {
        name: "X-SERVICE-AUTHENTICATION",
        type: "apiKey",
      },
]

this PR is to resolve that and obtain short list of security measures that need to be meet

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 36ce55f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

@michalgrezel is attempting to deploy a commit to the Hey API Team on Vercel.

A member of the Team first needs to authorize it.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/hey-api/openapi-ts/@hey-api/nuxt@2479

npm i https://pkg.pr.new/hey-api/openapi-ts/@hey-api/openapi-ts@2479

npm i https://pkg.pr.new/hey-api/openapi-ts/@hey-api/vite-plugin@2479

commit: 36ce55f

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 23.73%. Comparing base (df9b830) to head (36ce55f).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2479      +/-   ##
==========================================
+ Coverage   22.78%   23.73%   +0.94%     
==========================================
  Files         338      338              
  Lines       33733    33733              
  Branches     1353     1404      +51     
==========================================
+ Hits         7686     8005     +319     
+ Misses      26037    25718     -319     
  Partials       10       10              

Flag	Coverage Δ
unittests	23.73% <100.00%> (+0.94%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mrlubos]

Hey @dracomithril, I'm not opposed to this change, but you need to make sure it doesn't discard unique values such as

security:
  - oauth2: [read]
  - oauth2: [write]

[dracomithril]

Hey @dracomithril, I'm not opposed to this change, but you need to make sure it doesn't discard unique values such as

security:
  - oauth2: [read]
  - oauth2: [write]

Thank you @mrlubos for pointing that out. Are there any examples of using scopes?
From what I see in documentation oauth2 can have multiple flows but I do not see logic that is covering that case right now or maybe I'm missing where that logic is present?

[mrlubos]

I don't think there are any examples. It's not oauth2 specific either.

security:
  - foo: [scope1]
  - foo: [scope2]

Your changes are keyed only based on name. That could mean the user receives only scope1 but the token they hold is valid for scope2, so they never try to submit it for the operation

[dracomithril]

so I checked in the code and current implementation does not care about scope at all at least from what I see

openapi-ts/packages/openapi-ts/src/openApi/3.0.x/parser/index.ts

Lines 65 to 73 in df9b830

	if (context.spec.components) {
	for (const name in context.spec.components.securitySchemes) {
	const securityOrReference =
	context.spec.components.securitySchemes[name]!;
	const securitySchemeObject =
	'$ref' in securityOrReference
	? context.resolveRef<SecuritySchemeObject>(securityOrReference.$ref)
	: securityOrReference;
	securitySchemesMap.set(name, securitySchemeObject);

so what ever scope you provide it will still resolve in the same way would we would need to to is extend object in securitySchemesMap to contain scope but right now I do not see the use as it is omitted later

[dracomithril]

to add to it from what I understand in context.spec.components.securitySchemes we will only have unique names so in example that you are showing this definition is for specific path

security:
  - foo: [scope1]
  - foo: [scope2]

but in context.spec.components.securitySchemes we will have unique names

# openapi 3.0.x
spec:
  components:
     securitySchemes:
        foo:
           type: 'oauth2'
           flows:
             password:
                scope: 
                   scope1: 'Grants read access'
                   scope2: 'Grants write access'
                tokenUrl:  'http://some/auth'         

so in current implementation it will still resolve to the same thing we would need to extend logic to have specific path scope added so then on auth() developer can decide what flow to use