openapi-typescript icon indicating copy to clipboard operation
openapi-typescript copied to clipboard
verified publisher icon drwpow

Multiple security schemes not supported

Open nzapponi opened this issue 1 year ago • 0 comments

Description

When defining multiple security schemes, the package fails to parse the spec, as it expects all security schemes to be defined in the security section.

According to the OpenAPI 3.0 spec, however, this is not required: https://swagger.io/docs/specification/authentication/ .

Conversion of type '{ openapi: string; info: { title: string; version: string; }; servers: { url: string; }[]; security: ({ sessionCookie: never[]; sessionToken?: undefined; } | { sessionToken: never[]; sessionC@dctr/api-spec:watch: ]; components: { ...; }; paths: { ...; }; }' to type 'Document' may be a mistake because neither type sufficiently overlaps with the other. If this was intentional, convert the expression to 'unknown' first.
Types of property 'security' are incompatible.
Type '({ sessionCookie: never[]; sessionToken?: undefined; } | { sessionToken: never[]; sessionCookie?: undefined; })[]' is not comparable to type 'SecurityRequirementObject[]'.
Type '{ sessionCookie: never[]; sessionToken?: undefined; } | { sessionToken: never[]; sessionCookie?: undefined; }' is not comparable to type 'SecurityRequirementObject'.
Type '{ sessionToken: never[]; sessionCookie?: undefined; }' is not comparable to type 'SecurityRequirementObject'.
Property '"sessionCookie"' is incompatible with index signature.
Type 'undefined' is not comparable to type 'string[]'.
31       apiSpec: spec as OpenAPIV3.Document,
Name Version
openapi-typescript 6.7.4

Reproduction

Define this securitySchemes components:

"securitySchemes": {
      "sessionToken": {
        "type": "http",
        "scheme": "bearer"
      },
      "sessionCookie": {
        "type": "apiKey",
        "in": "cookie",
        "name": "my_session"
      }
    }

And set:

"security": [
    {
      "sessionCookie": []
    },
    {
      "sessionToken": []
    }
  ]

The intended behavior is that clients can use either security scheme.

Expected result

For the spec to successfully be typed.

Checklist

nzapponi avatar Apr 29 '24 10:04 nzapponi