feat: impl path security

jlalmes · Aug 8, 2023 · a2f9551 · a2f9551
1 parent d1eab87
commit a2f9551
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 14 deletions.
diff --git a/src/generator/paths.ts b/src/generator/paths.ts
@@ -56,14 +56,31 @@ export const getOpenApiPathsObject = (
 
       const { inputParser, outputParser } = getInputOutputParsers(procedure);
 
+      let securityNames: string[] | undefined;
+
+      if (protect) {
+        if (Array.isArray(protect)) {
+          const unexists = protect.filter((name) => !securitySchemeNames.includes(name));
+          if (unexists.length) {
+            throw new TRPCError({
+              message: `"${unexists.join(',')}" must exists in "securitySchemes"`,
+              code: 'INTERNAL_SERVER_ERROR',
+            });
+          }
+          securityNames = protect;
+        } else {
+          securityNames = securitySchemeNames;
+        }
+      }
+
       pathsObject[path] = {
         ...pathsObject[path],
         [httpMethod]: {
           operationId: procedurePath.replace(/\./g, '-'),
           summary,
           description,
           tags: tags,
-          security: protect ? securitySchemeNames.map((name) => ({ [name]: [] })) : undefined,
+          security: securityNames?.map((name) => ({ [name]: [] })),
           ...(acceptsRequestBody(method)
             ? {
                 requestBody: getRequestBodyObject(
@@ -94,7 +111,11 @@ export const getOpenApiPathsObject = (
                   ) || []),
                 ],
               }),
-          responses: getResponsesObject(outputParser, openapi.example?.response, openapi.responseHeaders),
+          responses: getResponsesObject(
+            outputParser,
+            openapi.example?.response,
+            openapi.responseHeaders,
+          ),
           ...(openapi.deprecated ? { deprecated: openapi.deprecated } : {}),
         },
       };

diff --git a/src/types.ts b/src/types.ts
@@ -22,7 +22,7 @@ export type OpenApiMeta<TMeta = TRPCMeta> = TMeta & {
     path: `/${string}`;
     summary?: string;
     description?: string;
-    protect?: boolean;
+    protect?: boolean | string[];
     tags?: string[];
     headers?: (OpenAPIV3.ParameterBaseObject & { name: string; in?: 'header' })[];
     contentTypes?: OpenApiContentType[];

diff --git a/test/generator.test.ts b/test/generator.test.ts
@@ -849,6 +849,54 @@ describe('generator', () => {
     ]);
   });
 
+  test('with defined security', () => {
+    const appRouter = t.router({
+      protectedEndpoint: t.procedure
+        .meta({
+          openapi: { method: 'POST', path: '/secure/endpoint', protect: ['a', 'b'] },
+        })
+        .input(z.object({ name: z.string() }))
+        .output(z.object({ name: z.string() }))
+        .query(({ input }) => ({ name: input.name })),
+    });
+
+    const openApiDocument = generateOpenApiDocument(appRouter, {
+      ...defaultDocOpts,
+      securitySchemes: {
+        a: {
+          type: 'apiKey',
+          name: 'a',
+          in: 'header',
+        },
+        b: {
+          type: 'apiKey',
+          name: 'b',
+          in: 'header',
+        },
+      },
+    });
+
+    expect(openApiSchemaValidator.validate(openApiDocument).errors).toEqual([]);
+    expect(openApiDocument.paths['/secure/endpoint']!.post!.security).toEqual([
+      { a: [] },
+      { b: [] },
+    ]);
+  });
+
+  test('with missing securityScheme', () => {
+    const appRouter = t.router({
+      protectedEndpoint: t.procedure
+        .meta({ openapi: { method: 'POST', path: '/secure/endpoint', protect: ['a', 'b'] } })
+        .input(z.object({ name: z.string() }))
+        .output(z.object({ name: z.string() }))
+        .query(({ input }) => ({ name: input.name })),
+    });
+
+    expect(() => {
+      generateOpenApiDocument(appRouter, defaultDocOpts);
+    }).toThrowError('[query.protectedEndpoint] - "a,b" must exists in "securitySchemes"');
+  });
+
   test('with schema descriptions', () => {
     const appRouter = t.router({
       createUser: t.procedure
@@ -2807,26 +2855,26 @@ describe('generator', () => {
             method: 'GET',
             path: '/query-example/{name}',
             responseHeaders: {
-              "X-RateLimit-Limit": {
-                description: "Request limit per hour.",
+              'X-RateLimit-Limit': {
+                description: 'Request limit per hour.',
                 schema: {
-                  type: "integer"
-                }
+                  type: 'integer',
+                },
               },
-              "X-RateLimit-Remaining": {
-                description: "The number of requests left for the time window.",
+              'X-RateLimit-Remaining': {
+                description: 'The number of requests left for the time window.',
                 schema: {
-                  type: "integer"
-                }
-              }
-            }
+                  type: 'integer',
+                },
+              },
+            },
           },
         })
         .input(z.object({ name: z.string(), greeting: z.string() }))
         .output(z.object({ output: z.string() }))
         .query(({ input }) => ({
           output: `${input.greeting} ${input.name}`,
-        }))
+        })),
     });
 
     const openApiDocument = generateOpenApiDocument(appRouter, defaultDocOpts);