Fix: Security schemes protected procedures (#306)

Author: jlalmes

README.md

@@ -289,31 +289,32 @@ export const openApi = createOpenApiAwsLambdaHandler({ router: appRouter });
 
 Please see [full typings here](src/generator/index.ts).
 
-| Property      | Type       | Description                          | Required |
-| ------------- | ---------- | ------------------------------------ | -------- |
-| `title`       | `string`   | The title of the API.                | `true`   |
-| `description` | `string`   | A short description of the API.      | `false`  |
-| `version`     | `string`   | The version of the OpenAPI document. | `true`   |
-| `baseUrl`     | `string`   | The base URL of the target server.   | `true`   |
-| `docsUrl`     | `string`   | A URL to any external documentation. | `false`  |
-| `tags`        | `string[]` | A list for ordering endpoint groups. | `false`  |
+| Property          | Type                                   | Description                                             | Required |
+| ----------------- | -------------------------------------- | ------------------------------------------------------- | -------- |
+| `title`           | `string`                               | The title of the API.                                   | `true`   |
+| `description`     | `string`                               | A short description of the API.                         | `false`  |
+| `version`         | `string`                               | The version of the OpenAPI document.                    | `true`   |
+| `baseUrl`         | `string`                               | The base URL of the target server.                      | `true`   |
+| `docsUrl`         | `string`                               | A URL to any external documentation.                    | `false`  |
+| `tags`            | `string[]`                             | A list for ordering endpoint groups.                    | `false`  |
+| `securitySchemes` | `Record<string, SecuritySchemeObject>` | Defaults to `Authorization` header with `Bearer` scheme | `false`  |
 
 #### OpenApiMeta
 
 Please see [full typings here](src/types.ts).
 
-| Property       | Type                | Description                                                                                                  | Required | Default                |
-| -------------- | ------------------- | ------------------------------------------------------------------------------------------------------------ | -------- | ---------------------- |
-| `enabled`      | `boolean`           | Exposes this procedure to `trpc-openapi` adapters and on the OpenAPI document.                               | `false`  | `true`                 |
-| `method`       | `HttpMethod`        | HTTP method this endpoint is exposed on. Value can be `GET`, `POST`, `PATCH`, `PUT` or `DELETE`.             | `true`   | `undefined`            |
-| `path`         | `string`            | Pathname this endpoint is exposed on. Value must start with `/`, specify path parameters using `{}`.         | `true`   | `undefined`            |
-| `protect`      | `boolean`           | Requires this endpoint to use an `Authorization` header credential with `Bearer` scheme on OpenAPI document. | `false`  | `false`                |
-| `summary`      | `string`            | A short summary of the endpoint included in the OpenAPI document.                                            | `false`  | `undefined`            |
-| `description`  | `string`            | A verbose description of the endpoint included in the OpenAPI document.                                      | `false`  | `undefined`            |
-| `tags`         | `string[]`          | A list of tags used for logical grouping of endpoints in the OpenAPI document.                               | `false`  | `undefined`            |
-| `headers`      | `ParameterObject[]` | An array of custom headers to add for this endpoint in the OpenAPI document.                                 | `false`  | `undefined`            |
-| `contentTypes` | `ContentType[]`     | A set of content types specified as accepted in the OpenAPI document.                                        | `false`  | `['application/json']` |
-| `deprecated`   | `boolean`           | Whether or not to mark an endpoint as deprecated                                                             | `false`  | `false`                |
+| Property       | Type                | Description                                                                                          | Required | Default                |
+| -------------- | ------------------- | ---------------------------------------------------------------------------------------------------- | -------- | ---------------------- |
+| `enabled`      | `boolean`           | Exposes this procedure to `trpc-openapi` adapters and on the OpenAPI document.                       | `false`  | `true`                 |
+| `method`       | `HttpMethod`        | HTTP method this endpoint is exposed on. Value can be `GET`, `POST`, `PATCH`, `PUT` or `DELETE`.     | `true`   | `undefined`            |
+| `path`         | `string`            | Pathname this endpoint is exposed on. Value must start with `/`, specify path parameters using `{}`. | `true`   | `undefined`            |
+| `protect`      | `boolean`           | Requires this endpoint to use a security scheme.                                                     | `false`  | `false`                |
+| `summary`      | `string`            | A short summary of the endpoint included in the OpenAPI document.                                    | `false`  | `undefined`            |
+| `description`  | `string`            | A verbose description of the endpoint included in the OpenAPI document.                              | `false`  | `undefined`            |
+| `tags`         | `string[]`          | A list of tags used for logical grouping of endpoints in the OpenAPI document.                       | `false`  | `undefined`            |
+| `headers`      | `ParameterObject[]` | An array of custom headers to add for this endpoint in the OpenAPI document.                         | `false`  | `undefined`            |
+| `contentTypes` | `ContentType[]`     | A set of content types specified as accepted in the OpenAPI document.                                | `false`  | `['application/json']` |
+| `deprecated`   | `boolean`           | Whether or not to mark an endpoint as deprecated                                                     | `false`  | `false`                |
 
 #### CreateOpenApiNodeHttpHandlerOptions
 

src/generator/index.ts

@@ -20,6 +20,12 @@ export const generateOpenApiDocument = (
   appRouter: OpenApiRouter,
   opts: GenerateOpenApiDocumentOptions,
 ): OpenAPIV3.Document => {
+  const securitySchemes = opts.securitySchemes || {
+    Authorization: {
+      type: 'http',
+      scheme: 'bearer',
+    },
+  };
   return {
     openapi: openApiVersion,
     info: {
@@ -32,14 +38,9 @@ export const generateOpenApiDocument = (
         url: opts.baseUrl,
       },
     ],
-    paths: getOpenApiPathsObject(appRouter, {}),
+    paths: getOpenApiPathsObject(appRouter, Object.keys(securitySchemes)),
     components: {
-      securitySchemes: opts.securitySchemes || {
-        Authorization: {
-          type: 'http',
-          scheme: 'bearer',
-        },
-      },
+      securitySchemes,
       responses: {
         error: errorResponseObject,
       },

src/generator/paths.ts

@@ -9,8 +9,9 @@ import { getParameterObjects, getRequestBodyObject, getResponsesObject } from '.
 
 export const getOpenApiPathsObject = (
   appRouter: OpenApiRouter,
-  pathsObject: OpenAPIV3.PathsObject,
+  securitySchemeNames: string[],
 ): OpenAPIV3.PathsObject => {
+  const pathsObject: OpenAPIV3.PathsObject = {};
   const procedures = appRouter._def.procedures as OpenApiProcedureRecord;
 
   forEachOpenApiProcedure(procedures, ({ path: procedurePath, type, procedure, openapi }) => {
@@ -62,7 +63,7 @@ export const getOpenApiPathsObject = (
           summary,
           description,
           tags: tags,
-          security: protect ? [{ Authorization: [] }] : undefined,
+          security: protect ? securitySchemeNames.map((name) => ({ [name]: [] })) : undefined,
           ...(acceptsRequestBody(method)
             ? {
                 requestBody: getRequestBodyObject(inputParser, pathParameters, contentTypes),

test/generator.test.ts

@@ -2593,7 +2593,13 @@ describe('generator', () => {
   });
 
   test('with security schemes', () => {
-    const appRouter = t.router({});
+    const appRouter = t.router({
+      protected: t.procedure
+        .meta({ openapi: { method: 'POST', path: '/protected', protect: true } })
+        .input(z.object({ payload: z.string() }))
+        .output(z.object({ payload: z.string() }))
+        .mutation(({ input }) => ({ payload: input.payload })),
+    });
 
     const openApiDocument = generateOpenApiDocument(appRouter, {
       title: 'tRPC OpenAPI',
@@ -2616,5 +2622,6 @@ describe('generator', () => {
         name: 'X-API-Key',
       },
     });
+    expect(openApiDocument.paths['/protected']!.post!.security).toEqual([{ ApiKey: [] }]);
   });
 });