[INS-1668] handle multiple security requirement objects #5047
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #INS-1668
Closes #4454
Investigation
According to spec there is logic defined when handling multiple security requirement objects:
What this means in practices is, again, according to spec:
The problem on Insomnia happened when we would define what by spec is a pair of security api keys to a given request, if we did it like this:
Insomnia would (wrongly) consider the first part of the pair and ignore the rest, resulting in only one of the variables being generated when interpreting the OpenAPI spec:
Which caused the symptoms we see in #4454. This wasn't reproducible if we didn't define a pair by spec:
since each would get handled as an 'OR', and would translate into this on the App:
After this PR
Now both approaches translate into:
And we leave out to the user to afterwards disable and pick whichever api key or security scheme they want to use in a particular request.
changelog(OpenAPI-2-Kong): Fixed an issue where multiple security requirement objects, like pairs of API keys, were not properly handled when generating requests from an OpenAPI spec