pactflow · vwong · Mar 14, 2025 · Mar 14, 2025 · Mar 14, 2025
diff --git a/src/__tests__/fixtures/request-security/oas.yaml b/src/__tests__/fixtures/request-security/oas.yaml
@@ -146,6 +146,20 @@ paths:
           description: unauthenticated
         "403":
           description: unauthorized
+  /empty:
+    get:
+      summary: Default authenticated endpoint
+      description: Empty securit requirement
+      responses:
+        "200":
+          description: successful operation
+        "401":
+          description: unauthenticated
+        "403":
+          description: unauthorized
+      security:
+        - {}
+
 security:
   - BasicAuth: [Admin]
 components:

diff --git a/src/__tests__/fixtures/request-security/pact.json b/src/__tests__/fixtures/request-security/pact.json
@@ -248,6 +248,16 @@
       "response": {
         "status": 200
       }
+    },
+    {
+      "description": "should pass on successful request using empty security",
+      "request": {
+        "method": "GET",
+        "path": "/empty"
+      },
+      "response": {
+        "status": 200
+      }
     }
   ]
 }
diff --git a/src/compare/requestHeader.ts b/src/compare/requestHeader.ts
@@ -182,6 +182,10 @@ export function* compareReqHeader(
     let isSecured = false;
     const maybeResults: Result[] = [];
     for (const scheme of operation.security || []) {
+      if (Object.keys(scheme).length === 0) {
+        isSecured = true;
+        break;
+      }
       for (const schemeName of Object.keys(scheme)) {
         const scheme = securitySchemes[schemeName];
         switch (scheme?.type) {