Skip to content

feat: Support securitySchemes#60

Merged
thced merged 23 commits into
masterfrom
feat/security-schemes-design
May 18, 2026
Merged

feat: Support securitySchemes#60
thced merged 23 commits into
masterfrom
feat/security-schemes-design

Conversation

@thced

@thced thced commented May 18, 2026

Copy link
Copy Markdown
Contributor

No description provided.

thced added 23 commits May 18, 2026 11:43
Captures the Wave 7 plan from the OpenAPI 3.1 refactor inventory: parse
securitySchemes + security requirements, extract credentials per scheme,
let consumers validate via name-keyed callback, library renders 401/403.
Includes useExternalAuthentication() opt-out for OPA-sidecar deployments
and explicit k6 compatibility constraints.
Operation now carries an Optional<List<SecurityRequirement>> security
field. When a path operation declares "security" in the OpenAPI doc, the
parsed list is present (including an empty list to opt-out of root
security); absent means no operation-level override.
Adds SecurityFilter with OR-of-AND group evaluation. Satisfied groups
update the ScopedValue binding with extracted principals. Rejection path
(Task 9) stubs with UnsupportedOperationException. Includes
ScopedValueHarness test helper and SecurityFilterTest covering the
allowed and no-security cases.
Replace the UnsupportedOperationException placeholder with a full
rejection path: DENIED failures produce 403 Forbidden with no
challenge header; MISSING/MALFORMED failures produce 401 Unauthorized
with one WWW-Authenticate header per distinct scheme. Added a generic
ProblemDetailRenderer.render(status, title, detail) overload used by
the rejection renderer. Three new SecurityFilterTest cases cover
bearer-missing→401, bearer-denied→403, and apiKey-missing→401.
Builder.build() now calls validateSecurityWiring() before constructing
the server when externalAuth is false. It collects all scheme names
referenced by any operation's effective security, and throws
IllegalStateException for unknown, Unsupported, or validator-less schemes.
Add four secured paths under /secure/* to openapi.json and openapi.yaml,
plus a securitySchemes block (apiKeyAuth, bearerAuth, basicAuth). Wire
deny-all SchemeValidator stubs and no-op handlers into ServerBaseTest
(via newBuilder helper) and ServerLauncher so existing tests keep booting.
@thced thced merged commit 53b347b into master May 18, 2026
3 checks passed
@thced thced deleted the feat/security-schemes-design branch May 18, 2026 12:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant