search

pactflow / swagger-mock-validator

Other
13 stars 4 forks source link

Gracefully handle incorrect security definitions #39

Open mefellows opened 11 months ago

mefellows commented 11 months ago

Given the following OAS and pact

security.oas.yml

openapi: 3.1.0
info:
  title: security example
  description: Demonstrate the supported security schemes
  version: 1.0.0
paths:
  /basic:
    get:
      summary: Basic authenticated endpoint
      description: Endpoint secured by basic auth
      operationId: getBasicAuth
      responses:
        "200":
          description: successful operation
        "401":
          description: unauthenticated
        "403":
          description: unauthorized
      security:
        - foo: []

security.pact.json: 

{
  "consumer": {
    "name": "security-consumer"
  },
  "provider": {
    "name": "security-provider"
  },
  "interactions": [
    {
      "description": "a request to a basic auth endpoint",
      "request": {
        "method": "GET",
        "path": "/basic",
        "headers": {
          "Authorization": "Basic dXNlcjpwYXNzd29yZAo="
        }
      },
      "response": {
        "status": 200
      }
    }],
  "metadata": {
    "pactSpecification": {
      "version": "2.0.0"
    }
  }
}

The following error is given:

npx @pactflow/swagger-mock-validator@latest security.oas.yml security.pact.json                                                                                                                                                                                                                                                                                                            <aws:pactflow-dev-admin>
TypeError: Cannot read properties of undefined (reading 'type')
    at isApiKeySecuritySchemeInHeaderOrQuery (file:///Users/matthew.fellows/.npm/_npx/102906fda511f716/node_modules/@pactflow/swagger-mock-validator/dist/swagger-mock-validator-6f145e61.js:15762:17)
    at isSupportedRequirementDefinition (file:///Users/matthew.fellows/.npm/_npx/102906fda511f716/node_modules/@pactflow/swagger-mock-validator/dist/swagger-mock-validator-6f145e61.js:15768:10)
    at getCredential (file:///Users/matthew.fellows/.npm/_npx/102906fda511f716/node_modules/@pactflow/swagger-mock-validator/dist/swagger-mock-validator-6f145e61.js:15746:10)
    at toParsedSpecSecurityRequirement (file:///Users/matthew.fellows/.npm/_npx/102906fda511f716/node_modules/@pactflow/swagger-mock-validator/dist/swagger-mock-validator-6f145e61.js:15755:44)
    at file:///Users/matthew.fellows/.npm/_npx/102906fda511f716/node_modules/@pactflow/swagger-mock-validator/dist/swagger-mock-validator-6f145e61.js:15781:12
    at Array.map (<anonymous>)
    at parseSecurityRequirementGroup (file:///Users/matthew.fellows/.npm/_npx/102906fda511f716/node_modules/@pactflow/swagger-mock-validator/dist/swagger-mock-validator-6f145e61.js:15780:6)
    at file:///Users/matthew.fellows/.npm/_npx/102906fda511f716/node_modules/@pactflow/swagger-mock-validator/dist/swagger-mock-validator-6f145e61.js:15786:12
    at Array.map (<anonymous>)
    at parseAllSecurityRequirements (file:///Users/matthew.fellows/.npm/_npx/102906fda511f716/node_modules/@pactflow/swagger-mock-validator/dist/swagger-mock-validator-6f145e61.js:15785:67)

The issue is that foo is not a defined security scheme. A better error message would help.

We could also consider a behaviour where we actually ignore an invalid security definition if provided (i.e. be tolerant). SwaggerHub doesn't error in this case, for example.