fix: marshal empty security object

[danielgtaylor]

This implements the suggestion from #593 to enable better nil checks using reflection and to make sure the security object is marshaled anytime it is not nil, since an empty array [] has valid semantic meaning in OpenAPI to e.g. remove a top-level security requirement to make a single route public.

Adds a test to ensure the empty security object is marshaled. Fixes #593.

Summary by CodeRabbit

• New Features

  • Introduced a public API operation that requires no security, enhancing accessibility.
  • Improved JSON marshaling logic for better handling of nil values and field omission.

• Bug Fixes

  • Enhanced API testing capabilities to ensure accurate representation in OpenAPI documentation.

[coderabbitai[bot]]

Walkthrough

The changes introduce a new test case in huma_test.go for an API operation that allows public access without security requirements. It registers a new GET operation at the path /public with an empty security array. In openapi.go, a new function isNilValue is added to check for nil values, enhancing JSON marshaling logic. The marshalJSON function is updated to use this new method, and the MarshalJSON method for the Operation struct is modified to omit the security field when it is nil instead of when it is empty.

Changes

Files	Change Summary
huma_test.go	Added a test case in TestFeatures for a new public API operation with no security requirements.
openapi.go	Introduced isNilValue function to check for nil values; updated marshalJSON and MarshalJSON methods for improved field omission logic.

Assessment against linked issues

Objective	Addressed	Explanation
Ensure security: [] is reflected in OAS for operations (#[593])	✅

Possibly related PRs

• 592: The changes in huma_test.go related to middleware and parameter handling may connect with the enhancements made in the same file, particularly regarding the robustness of request body processing and validation, which aligns with the overall improvements in the API framework.

Poem

🐰 In the meadow where the code does play,
A new path opens, bright as day.
With security light, the public can roam,
Hopping through APIs, they feel at home.
A nil check added, to keep things neat,
In the world of JSON, it’s quite a feat! 🌼

---

📜 Recent review details

**Configuration used: CodeRabbit UI** **Review profile: CHILL**

📥 Commits

Files that changed from the base of the PR and between b509335630ce907c5794039064cba628c7a81317 and 258794986dae91253533296aa34af8831d51d5df.

📒 Files selected for processing (2)

* huma_test.go (1 hunks) * openapi.go (3 hunks)

🧰 Additional context used

🔇 Additional comments (5)

openapi.go (4)

`54-71`: **Comprehensive nil check implementation** The new `isNilValue` function is a well-implemented utility that enhances nil checks beyond simple equality. It correctly handles various types such as channels, functions, interfaces, maps, pointers, and slices using reflection. This addition will improve the robustness of nil checks throughout the codebase. --- `978-978`: **Fix for marshaling empty security object** This change addresses the issue described in #593 by using `omitNil` instead of `omitEmpty` for the `security` field. This ensures that an empty array `[]` is properly marshaled, which is semantically significant in OpenAPI for indicating that a route should be publicly accessible. The change aligns perfectly with the PR objectives and resolves the limitation in the previous implementation. --- `79-79`: **Appropriate usage of new `isNilValue` function** The new `isNilValue` function is correctly utilized in the `marshalJSON` function, enhancing the nil check for fields marked with `omitNil`. This usage aligns well with the function's purpose and improves the overall robustness of the JSON marshaling process. Additionally, the change to the `Operation` struct's `MarshalJSON` method appears to be isolated and doesn't seem to have any unintended consequences on other parts of the code. --- Line range hint `54-978`: **Summary of changes and overall impact** The changes in this file effectively address the issue of marshaling empty security objects in OpenAPI specifications. The introduction of the `isNilValue` function provides a robust way to check for nil values across various types, which is then utilized in the JSON marshaling process. The modification to the `Operation` struct's `MarshalJSON` method ensures that empty security arrays are correctly represented, allowing for the specification of publicly accessible routes. These changes are focused, clean, and solve the problem without introducing unnecessary complexity. Moreover, the `isNilValue` function has potential for broader use throughout the codebase, adding value beyond this specific fix. Overall, these modifications improve the accuracy and flexibility of the OpenAPI specification generation, particularly in handling security-related configurations.

huma_test.go (1)

`1795-1812`: **LGTM! New test case for security override feature.** The new test case "security-override-public" has been added to the `TestFeatures` function. It tests the ability to override security settings for a specific endpoint, making it publicly accessible. The implementation looks correct and follows the existing pattern of other test cases in this function. Key points: 1. The test registers a new GET operation at the path "/public". 2. It sets an empty security array, effectively making the endpoint public. 3. The test verifies that the OpenAPI document correctly serializes the empty security array as `"security":[]`. This addition enhances the test coverage for the security override feature and ensures that the OpenAPI documentation accurately reflects the security settings.

--- Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai) - [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai) - [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai) - [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)

🪧 Tips

### Chat There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai): - Review comments: Directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commit , please review it.` - `Generate unit testing code for this file.` - `Open a follow-up GitHub issue for this discussion.` - Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples: - `@coderabbitai generate unit testing code for this file.` - `@coderabbitai modularize this function.` - PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples: - `@coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.` - `@coderabbitai read src/utils.ts and generate unit testing code.` - `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.` - `@coderabbitai help me debug CodeRabbit configuration file.` Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. ### CodeRabbit Commands (Invoked using PR comments) - `@coderabbitai pause` to pause the reviews on a PR. - `@coderabbitai resume` to resume the paused reviews. - `@coderabbitai review` to trigger an incremental review. This is useful when automatic reviews are disabled for the repository. - `@coderabbitai full review` to do a full review from scratch and review all the files again. - `@coderabbitai summary` to regenerate the summary of the PR. - `@coderabbitai resolve` resolve all the CodeRabbit review comments. - `@coderabbitai configuration` to show the current CodeRabbit configuration for the repository. - `@coderabbitai help` to get help. ### Other keywords and placeholders - Add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed. - Add `@coderabbitai summary` to generate the high-level summary at a specific location in the PR description. - Add `@coderabbitai` anywhere in the PR title to generate the title automatically. ### CodeRabbit Configuration File (`.coderabbit.yaml`) - You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository. - Please see the [configuration documentation](https://docs.coderabbit.ai/guides/configure-coderabbit) for more information. - If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json` ### Documentation and Community - Visit our [Documentation](https://coderabbit.ai/docs) for detailed information on how to use CodeRabbit. - Join our [Discord Community](http://discord.gg/coderabbit) to get help, request features, and share feedback. - Follow us on [X/Twitter](https://twitter.com/coderabbitai) for updates and announcements.

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 92.83%. Comparing base (b509335) to head (2587949). Report is 2 commits behind head on main.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #603 +/- ## ========================================== + Coverage 92.82% 92.83% +0.01% ========================================== Files 22 22 Lines 3915 3923 +8 ========================================== + Hits 3634 3642 +8 Misses 236 236 Partials 45 45 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.