Skip to content

feat: auto-configure security from OpenAPI securitySchemes#340

Open
jonaslagoni wants to merge 11 commits intomainfrom
issue-337-autoconfigure-security-from-op
Open

feat: auto-configure security from OpenAPI securitySchemes#340
jonaslagoni wants to merge 11 commits intomainfrom
issue-337-autoconfigure-security-from-op

Conversation

@jonaslagoni
Copy link
Contributor

@jonaslagoni jonaslagoni commented Mar 8, 2026
edited by cursor bot
Loading

Summary

Resolves #337

See implementation details in .claude/thoughts/issue-337-autoconfigure-security-from-op-2026-03-08/plan.md

Test Plan

  • All unit tests pass
  • All runtime tests pass
  • npm run prepare:pr passes

🤖 Generated with Claude Code

Note

Medium Risk
Changes affect generated authentication types and request auth application (API key defaults/cookie support and conditional OAuth2 helpers), which could alter output contracts and runtime behavior for existing generated clients.

Overview
TypeScript OpenAPI channel generation now parses securitySchemes/securityDefinitions and passes them into renderHttpCommonTypes, so generated clients only include the auth interfaces/union types actually used by the spec (while keeping a no-arg fallback that emits all types).

The HTTP fetch generator adds spec-driven defaults and safety: API key auth now supports cookie placement and uses generated API_KEY_DEFAULTS, OAuth2 helpers are emitted only when OAuth2/OpenID Connect schemes exist (otherwise type-safe stubs are generated) and all OAuth2 codepaths are runtime-guarded via AUTH_FEATURES; generated doc comments also include spec-derived token/auth URLs and sample scopes with escaping to prevent codegen injection.

Adds src/codegen/inputs/openapi/security.ts plus comprehensive unit tests and updates snapshots/runtime tests to reflect the new generated output and dynamic test server ports.

Written by Cursor Bugbot for commit a8a30cb. This will update automatically on new commits. Configure here.

@jonaslagoni @claude
feat: Auto-configure security from OpenAPI securitySchemes
244b49f 
Resolves #337

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@jonaslagoni jonaslagoni requested a review from ALagoni97 as a code owner March 8, 2026 21:08
@vercel
Copy link

vercel bot commented Mar 8, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
the-codegen-project Ready Ready Preview, Comment Mar 9, 2026 10:25am
the-codegen-project-mcp Ready Ready Preview, Comment Mar 9, 2026 10:25am

@netlify
Copy link

netlify bot commented Mar 8, 2026
edited
Loading

Deploy Preview for the-codegen-project canceled.

Name Link
🔨 Latest commit a8a30cb
🔍 Latest deploy log https://app.netlify.com/projects/the-codegen-project/deploys/69ae9e91d8689000081be7cf

@jonaslagoni jonaslagoni changed the title feat: Auto-configure security from OpenAPI securitySchemes feat: auto-configure security from OpenAPI securitySchemes Mar 8, 2026
cursor[bot]
cursor bot reviewed Mar 8, 2026
View reviewed changes
@jonaslagoni @claude
fix: use dynamic port assignment in HTTP runtime tests
1a6014c 
The HTTP runtime tests were using randomly generated ports which could
cause EADDRINUSE errors when multiple tests ran in parallel and got
the same random port. This fix:

- Uses port 0 to let the OS assign an available port
- Properly handles server errors with 'error' event listener
- Passes the actual assigned port to test callbacks via a new parameter

This ensures tests don't fail due to port collisions in CI.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
cursor[bot]
cursor bot reviewed Mar 8, 2026
View reviewed changes
jonaslagoni and others added 2 commits March 9, 2026 08:54
@jonaslagoni @claude
fix: ensure OAuth2 helper functions are always available in generated…
dec8c7b 
… code

- Added renderOAuth2Stubs() to generate type-safe stub functions when
  OAuth2 is not needed, ensuring TypeScript compilation succeeds
- Changed fallback AuthConfig to use 'never' type instead of union of
  all auth types when no recognized security schemes exist
- Added AUTH_FEATURES.oauth2 runtime guards to generated function code

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@jonaslagoni
wip
bdba1cb
cursor[bot]
cursor bot reviewed Mar 9, 2026
View reviewed changes
@jonaslagoni @claude
fix: address PR review comments for HTTP security types
7274f5a 
- Fix ApiKeyAuth default mismatch: generated interface docs and runtime
  now use consistent spec-derived defaults instead of hardcoded 'X-API-Key'
- Eliminate redundant analyzeSecuritySchemes call by passing pre-computed
  requirements to renderSecurityTypes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
cursor[bot]
cursor bot reviewed Mar 9, 2026
View reviewed changes
@jonaslagoni @claude
fix: escape OpenAPI spec values in generated TypeScript code
6ef33d1 
Add escapeStringForCodeGen helper to escape special characters (backslashes,
single quotes, backticks, dollar signs) in OpenAPI spec values before
interpolating them into generated TypeScript. Prevents syntax errors when
spec values contain characters like quotes in apiKeyName, tokenUrl, etc.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
cursor[bot]
cursor bot reviewed Mar 9, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

@jonaslagoni @claude
refactor: extract shared API key defaults logic into helper function
8663c47 
Addresses PR review comment about duplicated logic between
renderApiKeyAuthInterface and API_KEY_DEFAULTS template interpolation.
Both now call getApiKeyDefaults() to ensure consistency.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@jonaslagoni @claude
fix: update tests for API key defaults from spec
0118d21 
The generated code now uses 'api_key' as the default header name
(extracted from the OpenAPI spec) instead of the generic 'X-API-Key'.
Updated the runtime test to expect this correct header name and
updated snapshots to reflect the new generated output.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@jonaslagoni @claude
fix: resolve ESLint errors in fetch.ts
20fceee 
- Add curly braces after if condition
- Remove multiple spaces before inline comments

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@jonaslagoni @claude
Merge main into issue-337-autoconfigure-security-from-op
8e56847 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@jonaslagoni @claude
Merge main into issue-337-autoconfigure-security-from-op
a8a30cb 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@ALagoni97 ALagoni97 Awaiting requested review from ALagoni97 ALagoni97 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Auto-configure security from OpenAPI securitySchemes

1 participant

@jonaslagoni