[BUG][ruby] config shared across instances

[sonicdoe]

Description

In the ruby generator, config is shared across all instances. For example, setting config.api_key on one, changes it for all others as well.

This may be a security issue if separate instances are used to authenticate with different credentials.

openapi-generator version

7.19.0-SNAPSHOT

Steps to reproduce

$ git clone https://github.com/OpenAPITools/openapi-generator.git --depth 1
$ cd openapi-generator/samples/client/petstore/ruby
$ bundle install
$ irb -Ilib
irb(main):001> require 'petstore'
irb(main):002> client1 = Petstore::ApiClient.new
irb(main):003> client2 = Petstore::ApiClient.new
irb(main):004> client1.config.api_key
=> {}
irb(main):005> client2.config.api_key
=> {}
irb(main):006> client1.config.api_key['api_key_query'] = 'foo'
irb(main):007> client1.config.api_key
=> {"api_key_query" => "foo"}
irb(main):008> client2.config.api_key
=> {"api_key_query" => "foo"}

Suggest a fix

Currently, Configuration.default is a singleton and the default when instantiating a new ApiClient.

To fix this issue, we could create a new Configuration instance when instantiating a new ApiClient, merely copying the default configuration. While this would break calling .configure after instantiating a client, this was probably already surprising behavior as well. In any case, the new approach would match behavior of ActiveSupport::Configurable, for example.

[wing328]

when instantiating a new ApiClient

if i remember correctly, one can create a new configuration and pass to ApiClient constructor so that the ApiClient doesn't use the shared (default) configuration

[sonicdoe]

Indeed, but there are probably some settings one would want to share across all instances. For example, I may want to set timeout globally but change api_key per instance. To achieve that, I could duplicate Configuration.default, but even then I’d have to be careful because:

require 'petstore'

Petstore.configure do |config|
  config.timeout = 10
end

client1 = Petstore::ApiClient.new
client2 = Petstore::ApiClient.new(Petstore::Configuration.default.dup)

client1.config.api_key['api_key_query'] = 'foo'

client1.config.api_key
# => {"api_key_query" => "foo"}
client2.config.api_key
# => {"api_key_query" => "foo"}

One might argue that this is the user’s responsibility for shallow-cloning instead of deep-cloning Configuration.default, but I think it’s too easy to shoot yourself in the foot that there should be a safer and easier way to reconfigure individual instances.