Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add tests for security schemes prefixed with x- and X- #188

Closed
wants to merge 1 commit into from
Closed

add tests for security schemes prefixed with x- and X- #188

wants to merge 1 commit into from

Conversation

rpmccarter
Copy link

Creates test cases for #54 . Test case passes for X-, but fails for x-. Not confident enough to contribute a fix, so any help fixing these test cases would be greatly appreciated.

Hopefully adding this will prevent regressions in the future!

@rpmccarter rpmccarter changed the title add tests for x- and X- prefixed security schemes add tests for security schemes prefixed with x- and X- Oct 25, 2023
@rpmccarter rpmccarter mentioned this pull request Oct 25, 2023
Closed
@daveshanley
Copy link
Member

Hi, I have looked into this today again as I was looking through the backlog.

This use case cannot be supported. X- is a valid header prefix, but x- is not and cannot be. Any field that begins with x- is considered an extension.

https://spec.openapis.org/oas/latest.html#specificationExtensions

I can't make this work, it would mean that extensions are not supported for SecurityScheme objects, which would violate the spec. When in fact using any non-extension field with a prefix of lowercase x- is actually a violation of the spec.

Thanks.

@rpmccarter
Copy link
Author

Hey, thanks for the reply! This isn't a huge deal for me any more, but just wanted to respond to your comment - feel free to take it or leave it!

Extensions aren't allowed just anywhere in an OpenAPI document. The OpenAPI Spec v3.1.0 explicitly states exactly which fields may be extended with Specification Extensions. If you refer to the link you sent and search the page for "This object MAY be extended with Specification Extensions", you'll see 27 objects that can be extended. If you take a look at the entry for the Components Object, you'll see that the Components Object itself can be extended, but the securitySchemes field is just a map from strings to Security Scheme Objects. While the Security Scheme Object itself can be extended with Specification Extensions, nowhere in the spec does it state that the securitySchemes map can be extended.

Just below the table of fixed fields for the Components Object, you'll also see the following:

All the fixed fields declared above are objects that MUST use keys that match the regular expression: ^[a-zA-Z0-9\.\-_]+$.

This seems to suggest that x-foo-bar is a perfectly valid key for the securitySchemes object.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rpmccarter @daveshanley