fix(openapi): don't emit a cookie apiKey as a silent header key#474
Open
rejifald wants to merge 1 commit into
Open
fix(openapi): don't emit a cookie apiKey as a silent header key#474rejifald wants to merge 1 commit into
rejifald wants to merge 1 commit into
Conversation
`stitch gen openapi`'s `deriveAuth` matched every `type: apiKey` scheme, but core's `apiKey()` only models a header (default) or query key — `name` locates the key in both arms. An `in: cookie` scheme fell into the default (header) arm and was emitted as a header key: wrong transport, silently, with no warning. Guard the branch to `in` of header/query/undefined so a cookie scheme falls through to the existing "not auto-mapped — set client.ts auth manually" warning instead. Adds header/query/cookie coverage to gen-openapi.spec.ts. Carved out of the #470 contract-freeze sweep so this correctness fix can land and be reviewed on its own, ahead of the mechanical rename bulk. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
stitch gen openapi'sderiveAuthmapped everytype: apiKeysecurity scheme to acore
apiKey({ … })call. But core'sapiKey()only models two locations — a headerkey (the default arm) or a query key;
namelocates the key in both. Anin: cookieapiKey scheme has no arm, so it fell into the default (header) arm and was emitted as a
header key: the wrong transport, silently, with no warning to the developer.
This guards the branch to
inofheader/query/undefined. Acookiescheme (orany other unmodelled
in) now falls through to the existing"security scheme … not auto-mapped — set client.ts auth manually" warning, which is the
correct, honest behavior.
Test
Adds header / query / cookie coverage to
gen-openapi.spec.ts. The cookie case asserts noapiKey(call is emitted and the not-auto-mapped warning is present — it fails onmainand passes with the guard.
Context
Carved out of the big #470 contract-freeze sweep so this correctness fix can land and be
reviewed on its own, ahead of the mechanical rename bulk. In #470 the same hunk is
interleaved with a P7
only/tagswidening and ascope→poolrename; only theapiKeyguard is included here.Verification
pnpm --filter @stitchapi/openapi test(21 pass) +check:typesclean; full pre-pushgate suite green.
🤖 Generated with Claude Code