[BUG] Multiple Authentication Types applied together are not handled correctly

[zdne]

When the Open API specification defines multiple authentication types and their are applied simultaneously the provider definition defines them as two separate authentication types.

Refer to Using Multiple Authentication Types.

In the situation where security is defined as two types applied at the same type

security: 
  - A
    B

the A and B must be applied at the same time.

For example, using the Raynet CRM API:

  "security": [
    {
      "basicAuth": [],
      "instanceName": []
    }
  ],

with security schemes defined as follows:

  "components": {
    "securitySchemes": {
      "basicAuth": {
        "type": "http",
        "scheme": "basic"
      },
      "instanceName": {
        "type": "apiKey",
        "description": "instance name",
        "name": "X-Instance-Name",
        "in": "header"
      }
    },

the resulting security of APIs should include both basic authentication and the custom "api key" header X-Instance-Name. Without either one of those the call is considered unauthenticated

Expected Behavior

The two authentication types are used together.

Possible Solution

One solution would require to change the provider definition format to accommodate multiple auth types used simultaneously.

Otherwise, we can leave the provider definition as is and based on the indexed API docs make sure that both securitySchemes are used in the map.

Steps to Reproduce

1. Visit https://app.raynet.cz/api/doc/
2. Download their OAS
3. Run superface prepare <raynet OAS>

Your Environment

• @superfaceai/cli/4.0.1 darwin-arm64 node-v18.13.0

[Jakub-Vacek]

I think this is more limitation that a bug. There is definitely some work in Engine that needs to be done to support this. @freaz Can SDK use more that one security id?

[freaz]

You are right. OneSDK never supported applying multiple security configurations to one request, so it needs to be added.