fix: openapi securitySchemas with referenced schemas (#647)

Author: sukovanej

.changeset/fresh-apricots-explain.md

@@ -0,0 +1,5 @@
+---
+"effect-http": patch
+---
+
+Fix #646 - securitySchemes was overwritten by reference schemas.

packages/effect-http/src/internal/open-api.ts

@@ -38,143 +38,141 @@ export const make = (
   }
 
   api.groups.forEach((group) =>
-    group.endpoints.forEach(
-      (endpoint) => {
-        const options = ApiEndpoint.getOptions(endpoint)
-        const security = ApiEndpoint.getSecurity(endpoint)
-
-        const operationSpec: OpenApiTypes.OpenAPISpecOperation = {
-          operationId: ApiEndpoint.getId(endpoint),
-          tags: [group.name]
-        }
+    group.endpoints.forEach((endpoint) => {
+      const options = ApiEndpoint.getOptions(endpoint)
+      const security = ApiEndpoint.getSecurity(endpoint)
 
-        for (const response of ApiEndpoint.getResponse(endpoint)) {
-          const body = ApiResponse.getBodySchema(response)
-          const headers = ApiResponse.getHeadersSchema(response)
-          const status = ApiResponse.getStatus(response)
+      const operationSpec: OpenApiTypes.OpenAPISpecOperation = {
+        operationId: ApiEndpoint.getId(endpoint),
+        tags: [group.name]
+      }
 
-          const responseSpec: OpenApiTypes.OpenApiSpecResponse = { description: `Response ${status}` }
+      for (const response of ApiEndpoint.getResponse(endpoint)) {
+        const body = ApiResponse.getBodySchema(response)
+        const headers = ApiResponse.getHeadersSchema(response)
+        const status = ApiResponse.getStatus(response)
 
-          if (!ApiSchema.isIgnored(body) && !ApiSchema.isIgnored(headers)) {
-            responseSpec.description = "No content"
-          }
+        const responseSpec: OpenApiTypes.OpenApiSpecResponse = { description: `Response ${status}` }
 
-          if (!ApiSchema.isIgnored(body)) {
-            const content: OpenApiTypes.OpenApiSpecMediaType = {
-              schema: makeSchema(body, addComponentSchemaCallback)
-            }
+        if (!ApiSchema.isIgnored(body) && !ApiSchema.isIgnored(headers)) {
+          responseSpec.description = "No content"
+        }
 
-            const description = AST.getDescriptionAnnotation(body.ast)
+        if (!ApiSchema.isIgnored(body)) {
+          const content: OpenApiTypes.OpenApiSpecMediaType = {
+            schema: makeSchema(body, addComponentSchemaCallback)
+          }
 
-            if (Option.isSome(description)) {
-              content.description = description.value
-            }
+          const description = AST.getDescriptionAnnotation(body.ast)
 
-            responseSpec.content = {
-              "application/json": content
-            }
+          if (Option.isSome(description)) {
+            content.description = description.value
           }
 
-          if (!ApiSchema.isIgnored(headers)) {
-            responseSpec.headers = createResponseHeaders(headers, addComponentSchemaCallback)
+          responseSpec.content = {
+            "application/json": content
           }
+        }
 
-          operationSpec.responses = {
-            ...operationSpec.responses,
-            [String(status)]: responseSpec
-          }
+        if (!ApiSchema.isIgnored(headers)) {
+          responseSpec.headers = createResponseHeaders(headers, addComponentSchemaCallback)
         }
 
-        const addParameters = (
-          type: "query" | "header" | "path",
-          schema: Schema.Schema.Any
-        ) => {
-          let parameters: Array<OpenApiTypes.OpenAPISpecParameter> = []
+        operationSpec.responses = {
+          ...operationSpec.responses,
+          [String(status)]: responseSpec
+        }
+      }
 
-          if (operationSpec.parameters === undefined) {
-            operationSpec.parameters = parameters
-          } else {
-            parameters = operationSpec.parameters
-          }
+      const addParameters = (
+        type: "query" | "header" | "path",
+        schema: Schema.Schema.Any
+      ) => {
+        let parameters: Array<OpenApiTypes.OpenAPISpecParameter> = []
 
-          parameters.push(...createParameters(type, schema, addComponentSchemaCallback))
+        if (operationSpec.parameters === undefined) {
+          operationSpec.parameters = parameters
+        } else {
+          parameters = operationSpec.parameters
         }
 
-        const request = ApiEndpoint.getRequest(endpoint)
-
-        const body = ApiRequest.getBodySchema(request)
-        const headers = ApiRequest.getHeadersSchema(request)
-        const path = ApiRequest.getPathSchema(request)
-        const query = ApiRequest.getQuerySchema(request)
+        parameters.push(...createParameters(type, schema, addComponentSchemaCallback))
+      }
 
-        if (!ApiSchema.isIgnored(path)) {
-          addParameters("path", path)
-        }
+      const request = ApiEndpoint.getRequest(endpoint)
 
-        if (!ApiSchema.isIgnored(query)) {
-          addParameters("query", query)
-        }
+      const body = ApiRequest.getBodySchema(request)
+      const headers = ApiRequest.getHeadersSchema(request)
+      const path = ApiRequest.getPathSchema(request)
+      const query = ApiRequest.getQuerySchema(request)
 
-        if (!ApiSchema.isIgnored(headers)) {
-          addParameters("header", headers)
-        }
+      if (!ApiSchema.isIgnored(path)) {
+        addParameters("path", path)
+      }
 
-        if (!ApiSchema.isIgnored(body)) {
-          operationSpec.requestBody = {
-            content: {
-              "application/json": {
-                schema: makeSchema(body, addComponentSchemaCallback)
-              }
-            },
-            required: true
-          }
+      if (!ApiSchema.isIgnored(query)) {
+        addParameters("query", query)
+      }
 
-          const description = AST.getDescriptionAnnotation(body.ast)
+      if (!ApiSchema.isIgnored(headers)) {
+        addParameters("header", headers)
+      }
 
-          if (Option.isSome(description)) {
-            operationSpec.requestBody.description = description.value
-          }
+      if (!ApiSchema.isIgnored(body)) {
+        operationSpec.requestBody = {
+          content: {
+            "application/json": {
+              schema: makeSchema(body, addComponentSchemaCallback)
+            }
+          },
+          required: true
         }
 
-        const securityList = Record.toEntries(Security.getOpenApi(security))
+        const description = AST.getDescriptionAnnotation(body.ast)
 
-        if (securityList.length > 0) {
-          operationSpec.security = securityList.map(([name]) => ({ [name]: [] }))
+        if (Option.isSome(description)) {
+          operationSpec.requestBody.description = description.value
         }
+      }
 
-        for (const [name, schemes] of securityList) {
-          const securitySchemes = openApi.components?.securitySchemes ?? {}
-          securitySchemes[name] = schemes as OpenApiTypes.OpenAPISecurityScheme
+      const securityList = Record.toEntries(Security.getOpenApi(security))
 
-          const components = openApi.components ?? {}
-          components.securitySchemes = securitySchemes
+      if (securityList.length > 0) {
+        operationSpec.security = securityList.map(([name]) => ({ [name]: [] }))
+      }
 
-          openApi.components = components
-        }
+      for (const [name, schemes] of securityList) {
+        const securitySchemes = openApi.components?.securitySchemes ?? {}
+        securitySchemes[name] = schemes as OpenApiTypes.OpenAPISecurityScheme
 
-        if (options.description !== undefined) {
-          operationSpec.description = options.description
-        }
+        const components = openApi.components ?? {}
+        components.securitySchemes = securitySchemes
 
-        if (options.summary !== undefined) {
-          operationSpec.summary = options.summary
-        }
+        openApi.components = components
+      }
 
-        if (options.deprecated) {
-          operationSpec["deprecated"] = true
-        }
+      if (options.description !== undefined) {
+        operationSpec.description = options.description
+      }
 
-        const pathName = createPath(ApiEndpoint.getPath(endpoint))
+      if (options.summary !== undefined) {
+        operationSpec.summary = options.summary
+      }
 
-        openApi.paths = {
-          ...openApi.paths,
-          [pathName]: {
-            ...openApi.paths[pathName],
-            [ApiEndpoint.getMethod(endpoint).toLowerCase() as OpenApiTypes.OpenAPISpecMethodName]: operationSpec
-          }
+      if (options.deprecated) {
+        operationSpec["deprecated"] = true
+      }
+
+      const pathName = createPath(ApiEndpoint.getPath(endpoint))
+
+      openApi.paths = {
+        ...openApi.paths,
+        [pathName]: {
+          ...openApi.paths[pathName],
+          [ApiEndpoint.getMethod(endpoint).toLowerCase() as OpenApiTypes.OpenAPISpecMethodName]: operationSpec
         }
       }
-    )
+    })
   )
 
   if (Array.isNonEmptyReadonlyArray(api.groups)) {
@@ -206,7 +204,11 @@ export const make = (
       schemas[name] = openAPISchemaForAst(removeIdentifierAnnotation(ast), addComponentSchemaCallback)
     }
 
-    openApi.components = { schemas }
+    if (openApi.components === undefined) {
+      openApi.components = { schemas }
+    }
+
+    openApi.components.schemas = schemas
   }
 
   return openApi

packages/effect-http/test/openapi.test.ts

@@ -1489,4 +1489,25 @@ describe("component schema and reference", () => {
     // @ts-expect-error
     SwaggerParser.validate(spec)
   })
+
+  it("reference and security", async () => {
+    class ReferencedType extends Schema.Class<ReferencedType>("ReferencedType")(
+      Schema.Struct({ something: Schema.String })
+    ) {}
+
+    const api = Api.make({ title: "test", version: "0.1" }).pipe(
+      Api.addEndpoint(
+        Api.post("getPet", "/pet").pipe(
+          Api.setResponseBody(ReferencedType),
+          Api.setSecurity(Security.basic())
+        )
+      )
+    )
+    const spec = OpenApi.make(api)
+    expect(spec.components?.schemas).toBeTruthy()
+    expect(spec.components?.securitySchemes).toBeTruthy()
+
+    // @ts-expect-error
+    SwaggerParser.validate(spec)
+  })
 })