How to validate securityScheme from openapi

[gohelkiran]

Get this error when securityScheme set with header

Osteel\OpenApi\Testing\Exceptions\ValidationException: None of security schemas did match for Request [get /operation/{operationUuid}]

Defined security scheme as Bearer header

securitySchemes:
  X-Session:
    scheme: bearer
    bearerFormat: ''
    type: http
    description: Bearer Session Token
    x-last-modified: 1668326446280

and when validating request with below code
$validator->validate($request, '/permissions/{permissionUuid}', 'GET');

It gives this error

Osteel\OpenApi\Testing\Exceptions\ValidationException: None of security schemas did match for Request [get /operation/{operationUuid}]

/web/vendor/osteel/openapi-httpfoundation-testing/src/Exceptions/ValidationException.php:32
/web/vendor/osteel/openapi-httpfoundation-testing/src/Validator.php:70
/web/tests/TestCase/Action/Operation/OperationTest.php:83

Caused by
League\OpenAPIValidation\PSR7\Exception\Validation\InvalidSecurity: None of security schemas did match for Request [get /operation/{operationUuid}]

/web/vendor/league/openapi-psr7-validator/src/PSR7/Exception/Validation/AddressValidationFailed.php:39
/web/vendor/league/openapi-psr7-validator/src/PSR7/Exception/Validation/InvalidSecurity.php:24
/web/vendor/league/openapi-psr7-validator/src/PSR7/Validators/SecurityValidator.php:80
/web/vendor/league/openapi-psr7-validator/src/PSR7/Validators/SecurityValidator.php:53
/web/vendor/league/openapi-psr7-validator/src/PSR7/Validators/ValidatorChain.php:25
/web/vendor/league/openapi-psr7-validator/src/PSR7/RoutedServerRequestValidator.php:49
/web/vendor/osteel/openapi-httpfoundation-testing/src/Validator.php:68
/web/tests/TestCase/Permission/OperationTest.php:83

Is there support to add headers to validator request? If yes than how to add headers and if there is no support than how to validate request with security scheme.

Your environment

php 8.0
openapi 3.0

[osteel]

Hi,

I think that's down to how you build your request object? Can't you build it with the proper headers? I don't know in which context you're using the package (Laravel? Test suite?), so I don't know where you get that request object from, nor if you can update and how 🙂

[gohelkiran]

Request object is constructed using slim. There is a proper header set in request but it gives error. I found that no security headers are set anywhere in OperationAddress.

[osteel]

Sorry mate, I don't really know. To be honest this looks like it has more to do with Slim and/or using OpenAPI definitions than it does with using this package per se. As you can see the original exception is thrown by the underlying package, so maybe you'd have more luck opening an issue there

[gohelkiran]

@osteel I can post it there but is there any way to pass security headers when validating request to validator?

[osteel]

There is no feature to add these headers separately. Again, these headers should already be part of the request object, in my opinion

[gohelkiran]

Yes, request object already has all the headers, but it's missing from OperationAddress object where we comparing the schemes which is set from the Validators but as you said there is no such feature

[osteel]

OperationAddress is a class from the package I've mentioned above. Like I said, it's probably an issue better suited for them. Closing this for now, as I believe I answered your question and cannot help you any further