CLI call to openapi-spec with security in path fails

[dkreuer]

Type: Bug
Since: 1.8.0

Description:
The CLI call php-openapi validate example.spec.json fails due to the fact that the security in path is transformed to a list of arrays and not a list of objects in

php-openapi/src/spec/SecurityRequirements.php

Line 64 in 893ab10

$data[] = [$name => $securityRequirement->getSerializableData()];

Minimal example.spec.json to reproduce:

{
  "openapi": "3.0.0",
  "info": {
    "title": "My API",
    "version": "1, 2"
  },
  "paths": {
    "/v1/users/profile": {
      "get": {
        "operationId": "V1GetUserProfile",
        "summary": "Returns the user profile",
        "responses": {
          "200": {
            "description": "dummy"
          }
        },
        "security": [
          {
            "test_test": ["test:scope:foo"]
          }
        ]
      }
    }
  },
  "components": {
    "securitySchemes": {
      "test_test": {
        "type": "oauth2",
        "flows": {
          "authorizationCode": {
            "authorizationUrl": "https://example.com/openid-connect/auth",
            "tokenUrl": "https://example.com/openid-connect/token",
            "scopes": {
              "test:scope:foo": "test_scope"
            }
          }
        }
      }
    }
  }
}

I'll provide a MR with test case and a fix if you like.

[SOHELAHMED7]

Thanks for reporting.

This issue is fixed in PR #239

Commit: SOHELAHMED7@f669fef

Commit containing test: 6d5bde9

[mkorkmaz]

Hi @SOHELAHMED7

I use this library to verify and merge yaml files into a single openapi yaml file. I have two security schemes as stated in example source below.

In most cases, I expect two of this security schemes to be used together (logical conjunction).

Since v1.8.0 this is broken and in generated yaml file only apiKey is used, ignores second one and bearerAuth is missing completely in endpoint definitions.

Example source yaml:

openapi: 3.0.0
info:
  title: API Documentation
  description: All API endpoints are presented here.
  version: 1.0.0
servers:
  - url: http://127.0.0.1:8080/

paths:

  /endpoint:
    get:
      responses:
        '200':
          description: OK
      security:
        - apiKey: []
          bearerAuth: []
components:
  securitySchemes:
    apiKey:
      type: apiKey
      in: header
      name: X-APi-Key
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: JWT Authorization header using the Bearer scheme.

Generated output:

openapi: 3.0.0
info:
  title: 'API Documentation'
  description: 'All API endpoints are presented here.'
  version: 1.0.0
servers:
  -
    url: 'http://127.0.0.1:8080/'
paths:
  /endpoint:
    get:
      responses:
        '200':
          description: OK
      security:
        -
          apiKey: []
components:
  securitySchemes:
    apiKey:
      type: apiKey
      name: X-APi-Key
      in: header
    bearerAuth:
      type: http
      description: 'JWT Authorization header using the Bearer scheme.'
      scheme: bearer
      bearerFormat: JWT

[SOHELAHMED7]

@mkorkmaz

Thanks for reporting.

This issue is fixed in 7b5f3da and 19fabbc (PR #239).

I have already added test for above scenario and I will add more of other scenarios