Breaking Change: Adding & applying security scheme

[maticardenas]

We are currently using optic and have found recently that adding a new securitySheme to an OAS and applying it globally or individually in an endpoint that didn't have any applied previously, doesn't end up in a breaking change validation error.

As stated here, I'd expect it to clearly be a breaking change for your API as it would become not accessible anymore with the same authentication method for consumers.

As an example it would be:

Previous version

paths:
  /planets/{planetId}:
    get:
      operationId: onePlanet
      summary: Fetch one planet by position
      description: Get the data relating to one planet
      parameters:
      - name: planetId
        in: path
        required: true
        schema:
          type: number
          example: 4

      responses:
        '200':
          description: Planets in a list
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/planet"

components:
  schemas:
    planet:
      type: object
      properties:
        name:
          type: string
          description: Name of planet
          example: "Saturn"
        position:
          type: number
          description: Order in place from the sun
          example: 6
        moons:
          type: number
          description: Number of moons, according to NASA
          example: 62

New version

paths:
  /planets/{planetId}:
    get:
      operationId: onePlanet
      summary: Fetch one planet by position
      description: Get the data relating to one planet
      parameters:
      - name: planetId
        in: path
        required: true
        schema:
          type: number
          example: 4

      responses:
        '200':
          description: Planets in a list
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/planet"

components:
  securitySchemes:
     HTTPBasicAuth:
      type: http
      scheme: basic
      description: Basic Auth API keys to allow access to the API
  schemas:
    planet:
      type: object
      properties:
        name:
          type: string
          description: Name of planet
          example: "Saturn"
        position:
          type: number
          description: Order in place from the sun
          example: 6
        moons:
          type: number
          description: Number of moons, according to NASA
          example: 62

security:
  - HTTPBasicAuth: []

[acunniffe]

Hey @maticardenas -- adding a security schema makes sense as a breaking change. Are there any other kinds of changes you think we should be checking for? If we're going to add / announce support for security we may want to do take a pass at some of the other breaking changes too.

[maticardenas]

Hi @acunniffe, thanks for your answer.

In regard to securitySchemes I thought already some considerations about taking certain modifications as breaking changes or not, which maybe can be further discussed/checked:

Should be breaking change:

• Adding AND applying securityScheme if the previous version of an endpoint didn’t have one.
• Adding AND changing an applied securityScheme to an endpoint.

It is not breaking change:

• Add a securityScheme as a component without applying it to any endpoint.
• Unapply a securityScheme → (tested it for example in DuckDuckGo API which doesn't have by default authentication in place, and it works, if you keep sending as part of header, it’s just ignored).

About other things to consider as breaking changes, not sure if it's already in place, but maybe thinking about the impact of changes in hypermedia controls is something good to evaluate.
I understand they are even thought to be used to prevent breaking changes, but I think in some cases, for instance, if you remove pagination from an endpoint where you were providing it, might break the client's functionality if they were expecting it.

[acunniffe]

This is really helpful -- I think this makes sense for the securitySchemas. The code in Optic that traverses OpenAPI files does not currently map the security schemas so there's a small amount of work on the core library required to make this happen. I've opened an issue and will start discussing this internally. Might take us a few days to get started

#1318

[acunniffe]

Hey @maticardenas -- as of 0.34.1 you can write rules about security!

You will be able to access the security property by using

operation.security

This will either be the security as defined at the operation level OR it will fall back to the spec level definition. If there is no security defined at all it will be null. This is consistent with the spec's rules here https://swagger.io/docs/specification/authentication/