Merge pull request #539 from abraham/copilot/consolidate-oauth2-flows

Consolidate OAuth2 security schemes into single scheme with multiple flows

Author: abraham

dist/schema.json

@@ -156,7 +156,7 @@
         },
         "security": [
           {
-            "OAuth2ClientCredentials": [
+            "OAuth2": [
               "write:accounts"
             ]
           }
@@ -5552,7 +5552,7 @@
         },
         "security": [
           {
-            "OAuth2ClientCredentials": []
+            "OAuth2": []
           }
         ]
       }
@@ -25644,7 +25644,7 @@
         },
         "security": [
           {
-            "OAuth2ClientCredentials": [
+            "OAuth2": [
               "read:statuses"
             ]
           }
@@ -25807,7 +25807,7 @@
         },
         "security": [
           {
-            "OAuth2ClientCredentials": [
+            "OAuth2": [
               "read:statuses"
             ]
           }
@@ -29967,7 +29967,7 @@
         },
         "security": [
           {
-            "OAuth2ClientCredentials": [
+            "OAuth2": [
               "read:statuses"
             ]
           }
@@ -30356,7 +30356,7 @@
         },
         "security": [
           {
-            "OAuth2ClientCredentials": [
+            "OAuth2": [
               "read:statuses"
             ]
           }
@@ -30571,7 +30571,7 @@
         },
         "security": [
           {
-            "OAuth2ClientCredentials": [
+            "OAuth2": [
               "read:statuses"
             ]
           }
@@ -39193,11 +39193,11 @@
     "securitySchemes": {
       "OAuth2": {
         "type": "oauth2",
-        "description": "OAuth 2.0 authentication for user tokens (authorization code flow)",
+        "description": "OAuth 2.0 authentication",
         "flows": {
           "authorizationCode": {
-            "authorizationUrl": "https://mastodon.example/oauth/authorize",
-            "tokenUrl": "https://mastodon.example/oauth/token",
+            "authorizationUrl": "/oauth/authorize",
+            "tokenUrl": "/oauth/token",
             "scopes": {
               "profile": "Access to the current user profile information only",
               "read": "Read access",
@@ -39245,15 +39245,9 @@
               "admin:write:ip_blocks": "Administrative write access to ip_blocks",
               "admin:write:reports": "Administrative write access to reports"
             }
-          }
-        }
-      },
-      "OAuth2ClientCredentials": {
-        "type": "oauth2",
-        "description": "OAuth 2.0 authentication for app tokens (client credentials flow)",
-        "flows": {
+          },
           "clientCredentials": {
-            "tokenUrl": "https://mastodon.example/oauth/token",
+            "tokenUrl": "/oauth/token",
             "scopes": {
               "read": "Read access",
               "write": "Write access",

src/__tests__/generators/MethodConverter.bearer-token-security.test.ts

@@ -31,12 +31,12 @@ describe('MethodConverter Bearer Token Security', () => {
             description: 'OAuth 2.0 authentication',
             flows: {
               authorizationCode: {
-                authorizationUrl: 'https://mastodon.example/oauth/authorize',
-                tokenUrl: 'https://mastodon.example/oauth/token',
+                authorizationUrl: '/oauth/authorize',
+                tokenUrl: '/oauth/token',
                 scopes: {},
               },
               clientCredentials: {
-                tokenUrl: 'https://mastodon.example/oauth/token',
+                tokenUrl: '/oauth/token',
                 scopes: {},
               },
             },
@@ -143,10 +143,8 @@ describe('MethodConverter Bearer Token Security', () => {
 
       const operation = spec.paths['/api/v1/accounts']?.post;
       expect(operation).toBeDefined();
-      // Should require app token (client credentials flow)
-      expect(operation?.security).toEqual([
-        { OAuth2ClientCredentials: ['write:accounts'] },
-      ]);
+      // Should require app token (client credentials flow via OAuth2 security scheme)
+      expect(operation?.security).toEqual([{ OAuth2: ['write:accounts'] }]);
     });
 
     test('should handle app token with multiple scopes', () => {
@@ -163,7 +161,7 @@ describe('MethodConverter Bearer Token Security', () => {
       const operation = spec.paths['/api/v1/admin/action']?.post;
       expect(operation).toBeDefined();
       expect(operation?.security).toEqual([
-        { OAuth2ClientCredentials: ['admin:write', 'write:accounts'] },
+        { OAuth2: ['admin:write', 'write:accounts'] },
       ]);
     });
   });
@@ -182,11 +180,8 @@ describe('MethodConverter Bearer Token Security', () => {
 
       const operation = spec.paths['/api/v1/flexible']?.get;
       expect(operation).toBeDefined();
-      // Should support both user token and app token
-      expect(operation?.security).toEqual([
-        { OAuth2: ['read'] }, // User token
-        { OAuth2ClientCredentials: ['read'] }, // App token
-      ]);
+      // Mixed token types use the same OAuth2 security scheme with both flows available
+      expect(operation?.security).toEqual([{ OAuth2: ['read'] }]);
     });
 
     test('should handle token without scopes', () => {

src/__tests__/generators/SpecBuilder.test.ts

@@ -123,5 +123,76 @@ describe('SpecBuilder', () => {
         /\(https:\/\/github\.com\/mastodon\/documentation\/commit\/test123commit456\)\./
       );
     });
+
+    it('should have a single OAuth2 security scheme with both flows', () => {
+      const mockConfig = {
+        mastodonDocsCommit: 'test123commit456',
+      };
+
+      mockReadFileSync.mockReturnValue(JSON.stringify(mockConfig));
+
+      const spec = specBuilder.buildInitialSpec();
+
+      // Check that there is only one OAuth2 security scheme
+      expect(spec.components?.securitySchemes).toBeDefined();
+      expect(spec.components?.securitySchemes?.OAuth2).toBeDefined();
+      expect(
+        spec.components?.securitySchemes?.OAuth2ClientCredentials
+      ).toBeUndefined();
+
+      // Check the OAuth2 security scheme has both flows
+      const oauth2 = spec.components?.securitySchemes?.OAuth2 as any;
+      expect(oauth2.type).toBe('oauth2');
+      expect(oauth2.description).toBe('OAuth 2.0 authentication');
+      expect(oauth2.flows?.authorizationCode).toBeDefined();
+      expect(oauth2.flows?.clientCredentials).toBeDefined();
+    });
+
+    it('should use path-only URLs for OAuth2 flows', () => {
+      const mockConfig = {
+        mastodonDocsCommit: 'test123commit456',
+      };
+
+      mockReadFileSync.mockReturnValue(JSON.stringify(mockConfig));
+
+      const spec = specBuilder.buildInitialSpec();
+
+      const oauth2 = spec.components?.securitySchemes?.OAuth2 as any;
+
+      // Check authorizationCode flow URLs are path-only
+      expect(oauth2.flows?.authorizationCode?.authorizationUrl).toBe(
+        '/oauth/authorize'
+      );
+      expect(oauth2.flows?.authorizationCode?.tokenUrl).toBe('/oauth/token');
+
+      // Check clientCredentials flow URL is path-only
+      expect(oauth2.flows?.clientCredentials?.tokenUrl).toBe('/oauth/token');
+    });
+
+    it('should include scopes for both OAuth2 flows', () => {
+      const mockConfig = {
+        mastodonDocsCommit: 'test123commit456',
+      };
+
+      mockReadFileSync.mockReturnValue(JSON.stringify(mockConfig));
+
+      const spec = specBuilder.buildInitialSpec();
+
+      const oauth2 = spec.components?.securitySchemes?.OAuth2 as any;
+
+      // Check authorizationCode flow has scopes (from mock: read, write)
+      expect(oauth2.flows?.authorizationCode?.scopes).toBeDefined();
+      expect(oauth2.flows?.authorizationCode?.scopes.read).toBe('Read access');
+      expect(oauth2.flows?.authorizationCode?.scopes.write).toBe(
+        'Write access'
+      );
+
+      // Check clientCredentials flow has scopes
+      expect(oauth2.flows?.clientCredentials?.scopes).toBeDefined();
+      expect(oauth2.flows?.clientCredentials?.scopes.read).toBe('Read access');
+      expect(oauth2.flows?.clientCredentials?.scopes.write).toBe(
+        'Write access'
+      );
+    });
   });
 });

src/generators/MethodConverter.ts

@@ -1009,13 +1009,13 @@ class MethodConverter {
 
       case 'app':
         // Required app token (client credentials flow)
-        securityRequirements.push({ OAuth2ClientCredentials: config.scopes });
+        securityRequirements.push({ OAuth2: config.scopes });
         break;
 
       case 'mixed':
-        // Supports both user and app tokens
-        securityRequirements.push({ OAuth2: config.scopes }); // User token
-        securityRequirements.push({ OAuth2ClientCredentials: config.scopes }); // App token
+        // Supports both user and app tokens - both use the same OAuth2 security scheme
+        // with different flows (authorizationCode for user tokens, clientCredentials for app tokens)
+        securityRequirements.push({ OAuth2: config.scopes });
         break;
 
       case 'unknown':

src/generators/SpecBuilder.ts

@@ -92,23 +92,15 @@ class SpecBuilder {
         securitySchemes: {
           OAuth2: {
             type: 'oauth2',
-            description:
-              'OAuth 2.0 authentication for user tokens (authorization code flow)',
+            description: 'OAuth 2.0 authentication',
             flows: {
               authorizationCode: {
-                authorizationUrl: 'https://mastodon.example/oauth/authorize',
-                tokenUrl: 'https://mastodon.example/oauth/token',
+                authorizationUrl: '/oauth/authorize',
+                tokenUrl: '/oauth/token',
                 scopes: scopesObject,
               },
-            },
-          },
-          OAuth2ClientCredentials: {
-            type: 'oauth2',
-            description:
-              'OAuth 2.0 authentication for app tokens (client credentials flow)',
-            flows: {
               clientCredentials: {
-                tokenUrl: 'https://mastodon.example/oauth/token',
+                tokenUrl: '/oauth/token',
                 scopes: clientCredentialsScopes,
               },
             },