fix: pass unrecognised security schemes (#111)

Author: vwong

src/compare/index.ts

@@ -9,6 +9,7 @@ import { compareReqPath } from "#compare/requestPath";
 import { compareReqQuery } from "#compare/requestQuery";
 import { compareReqBody } from "#compare/requestBody";
 import { compareReqHeader } from "#compare/requestHeader";
+import { compareReqSecurity } from "#compare/requestSecurity";
 import { compareResBody } from "#compare/responseBody";
 import { compareResHeader } from "#compare/responseHeader";
 import { parse as parseOas } from "#documents/oas";
@@ -130,6 +131,13 @@ export class Comparator {
         continue;
       }
 
+      yield* compareReqSecurity(
+        this.#ajvCoerce,
+        route,
+        interaction,
+        index,
+        this.#config,
+      );
       yield* compareReqHeader(
         this.#ajvCoerce,
         route,

src/compare/requestHeader.ts

@@ -178,122 +178,16 @@ export function* compareReqHeader(
 
   // security headers
   // ----------------
+  const securityHeaders = [];
   if (isValidRequest(interaction)) {
-    let isSecured = false;
-    const maybeResults: Result[] = [];
     for (const scheme of operation.security || []) {
-      if (Object.keys(scheme).length === 0) {
-        isSecured = true;
-        break;
-      }
       for (const schemeName of Object.keys(scheme)) {
         const scheme = securitySchemes[schemeName];
-        switch (scheme?.type) {
-          case "apiKey":
-            switch (scheme.in) {
-              case "header":
-                if (requestHeaders.has(scheme.name)) {
-                  isSecured = true;
-                } else {
-                  maybeResults.push({
-                    code: "request.authorization.missing",
-                    message:
-                      "Request Authorization header is missing but is required by the spec file",
-                    mockDetails: {
-                      ...baseMockDetails(interaction),
-                      location: `[root].interactions[${index}].request.headers`,
-                      value: get(interaction, "request.headers"),
-                    },
-                    specDetails: {
-                      location: `[root].paths.${path}.${method}`,
-                      pathMethod: method,
-                      pathName: path,
-                      value: operation,
-                    },
-                    type: "error",
-                  });
-                }
-                requestHeaders.delete(scheme.name);
-                break;
-              case "cookie":
-              case "query":
-            }
-            break;
-          case "basic": {
-            const basicAuth = requestHeaders.get("authorization") || "";
-            if (basicAuth.startsWith("Basic ")) {
-              isSecured = true;
-            } else {
-              maybeResults.push({
-                code: "request.authorization.missing",
-                message:
-                  "Request Authorization header is missing but is required by the spec file",
-                mockDetails: {
-                  ...baseMockDetails(interaction),
-                  location: `[root].interactions[${index}].request.headers`,
-                  value: get(interaction, "request.headers"),
-                },
-                specDetails: {
-                  location: `[root].paths.${path}.${method}`,
-                  pathMethod: method,
-                  pathName: path,
-                  value: operation,
-                },
-                type: "error",
-              });
-            }
-            break;
-          }
-          case "http": {
-            const auth = requestHeaders.get("authorization") || "";
-            let isValid = false;
-            switch (scheme.scheme) {
-              case "basic":
-                isValid = auth.toLowerCase().startsWith("basic ");
-                break;
-              case "bearer":
-                isValid = auth.toLowerCase().startsWith("bearer ");
-                break;
-            }
-
-            if (config.get("no-authorization-schema")) {
-              isValid = requestHeaders.get("authorization") !== null;
-            }
-
-            if (isValid) {
-              isSecured = true;
-            } else {
-              maybeResults.push({
-                code: "request.authorization.missing",
-                message:
-                  "Request Authorization header is missing but is required by the spec file",
-                mockDetails: {
-                  ...baseMockDetails(interaction),
-                  location: `[root].interactions[${index}].request.headers`,
-                  value: get(interaction, "request.headers"),
-                },
-                specDetails: {
-                  location: `[root].paths.${path}.${method}`,
-                  pathMethod: method,
-                  pathName: path,
-                  value: operation,
-                },
-                type: "error",
-              });
-            }
-            break;
-          }
-          case "mutualTLS":
-          case "oauth2":
-          case "openIdConnect":
-          // ignore
+        if (scheme && scheme.type === "apiKey" && scheme.in === "header") {
+          securityHeaders.push(scheme.name.toLowerCase());
         }
       }
     }
-
-    if (!isSecured) {
-      yield* maybeResults;
-    }
   }
 
   // specified headers
@@ -396,22 +290,24 @@ export function* compareReqHeader(
   // -----------------
   if (isValidRequest(interaction)) {
     for (const [headerName, headerValue] of requestHeaders.entries()) {
-      yield {
-        code: "request.header.unknown",
-        message: `Request header is not defined in the spec file: ${headerName}`,
-        mockDetails: {
-          ...baseMockDetails(interaction),
-          location: `[root].interactions[${index}].request.headers.${headerName}`,
-          value: headerValue,
-        },
-        specDetails: {
-          location: `[root].paths.${path}.${method}`,
-          pathMethod: method,
-          pathName: path,
-          value: operation,
-        },
-        type: "warning",
-      };
+      if (!securityHeaders.includes(headerName)) {
+        yield {
+          code: "request.header.unknown",
+          message: `Request header is not defined in the spec file: ${headerName}`,
+          mockDetails: {
+            ...baseMockDetails(interaction),
+            location: `[root].interactions[${index}].request.headers.${headerName}`,
+            value: headerValue,
+          },
+          specDetails: {
+            location: `[root].paths.${path}.${method}`,
+            pathMethod: method,
+            pathName: path,
+            value: operation,
+          },
+          type: "warning",
+        };
+      }
     }
   }
 }

src/compare/requestQuery.ts

@@ -110,74 +110,38 @@ export function* compareReqQuery(
     delete searchParamsParsed[dereferencedParameter.name];
   }
 
+  const securityQueries = [];
   if (isValidRequest(interaction)) {
     for (const scheme of operation.security || []) {
       for (const schemeName of Object.keys(scheme)) {
         const scheme = securitySchemes[schemeName];
-        switch (scheme?.type) {
-          case "apiKey":
-            switch (scheme.in) {
-              case "query":
-                if (!searchParamsParsed[scheme.name]) {
-                  yield {
-                    code: "request.authorization.missing",
-                    message:
-                      "Request Authorization query is missing but is required by the spec file",
-                    mockDetails: {
-                      ...baseMockDetails(interaction),
-                      location: `[root].interactions[${index}].request.query`,
-                      value: get(interaction, "request.query"),
-                    },
-                    specDetails: {
-                      location: `[root].paths.${path}.${method}`,
-                      pathMethod: method,
-                      pathName: path,
-                      value: operation,
-                    },
-                    type: "error",
-                  };
-                }
-                delete searchParamsParsed[scheme.name];
-                break;
-              case "cookie":
-              case "header":
-              // ignore
-            }
-            break;
-          case "http":
-            switch (scheme.scheme) {
-              case "basic":
-              case "bearer":
-              // ignore
-            }
-            break;
-          case "mutualTLS":
-          case "oauth2":
-          case "openIdConnect":
-          // ignore
+        if (scheme?.type === "apiKey" && scheme?.in === "query") {
+          securityQueries.push(scheme.name);
         }
       }
     }
   }
 
   if (isValidRequest(interaction)) {
-    for (const [key, value] of Object.entries(searchParamsParsed)) {
-      yield {
-        code: "request.query.unknown",
-        message: `Query parameter is not defined in the spec file: ${key}`,
-        mockDetails: {
-          ...baseMockDetails(interaction),
-          location: `[root].interactions[${index}].request.query.${key}`,
-          value: value,
-        },
-        specDetails: {
-          location: `[root].paths.${path}.${method}`,
-          pathMethod: method,
-          pathName: path,
-          value: operation,
-        },
-        type: "warning",
-      };
+    for (const [queryName, queryValue] of Object.entries(searchParamsParsed)) {
+      if (!securityQueries.includes(queryName)) {
+        yield {
+          code: "request.query.unknown",
+          message: `Query parameter is not defined in the spec file: ${queryName}`,
+          mockDetails: {
+            ...baseMockDetails(interaction),
+            location: `[root].interactions[${index}].request.query.${queryName}`,
+            value: queryValue,
+          },
+          specDetails: {
+            location: `[root].paths.${path}.${method}`,
+            pathMethod: method,
+            pathName: path,
+            value: operation,
+          },
+          type: "warning",
+        };
+      }
     }
   }
 }