feat(respect): resolve and apply x security to step (#2076)

DmitryAnansky · web-flow · commit ef010f727615 · 2025-05-12T12:14:42.000+03:00
diff --git a/packages/respect-core/src/modules/description-parser/get-operation-by-id.ts b/packages/respect-core/src/modules/description-parser/get-operation-by-id.ts
@@ -32,6 +32,7 @@ export function getOperationById(
   }
 
   const description = descriptions[descriptionName];
+  const securitySchemes = description?.components?.securitySchemes;
   const rootServers = description.servers;
 
   for (const [path, pathDetails] of Object.entries(descriptions[descriptionName].paths)) {
@@ -48,6 +49,7 @@ export function getOperationById(
           path,
           method,
           descriptionName,
+          securitySchemes,
         };
       }
     }
diff --git a/packages/respect-core/src/modules/description-parser/get-operation-by-path.ts b/packages/respect-core/src/modules/description-parser/get-operation-by-path.ts
@@ -38,6 +38,8 @@ export function getOperationByPath(
   }
 
   const description = $sourceDescriptions[descriptionName] || {};
+  const securitySchemes = description?.components?.securitySchemes;
+
   const [prop, path, method] = JsonPointerLib.parse(fragmentIdentifier);
 
   if (prop !== 'paths') {
@@ -60,5 +62,6 @@ export function getOperationByPath(
     path,
     method,
     descriptionName,
+    securitySchemes,
   };
 }
diff --git a/packages/respect-core/src/modules/flow-runner/prepare-request.ts b/packages/respect-core/src/modules/flow-runner/prepare-request.ts
@@ -12,6 +12,7 @@ import {
 import { getServerUrl } from './get-server-url.js';
 import { createRuntimeExpressionCtx, collectSecretFields } from './context/index.js';
 import { evaluateRuntimeExpressionPayload } from '../runtime-expressions/index.js';
+import { resolveXSecurityParameters } from './resolve-x-security-parameters.js';
 
 import type { ParameterWithIn } from '../config-parser/index.js';
 import type { TestContext, Step, Parameter, PublicStep } from '../../types.js';
@@ -139,7 +140,8 @@ export async function prepareRequest(
     step,
   });
 
-  const evaluatedParameters = parameters.map((parameter) => {
+  const xSecurityParameters = resolveXSecurityParameters(expressionContext, step, openapiOperation);
+  const evaluatedParameters = joinParameters(parameters, xSecurityParameters).map((parameter) => {
     return {
       ...parameter,
       value: evaluateRuntimeExpressionPayload({
@@ -196,7 +198,8 @@ function joinParameters(...parameters: ParameterWithIn[][]): ParameterWithIn[] {
   const parametersWithNames = parameters.flat().filter((param) => 'name' in param);
 
   const parameterMap = parametersWithNames.reduce((map, param) => {
-    map[param.name] = param;
+    const key = `${param.name}:${param.in}`;
+    map[key] = param;
     return map;
   }, {} as { [key: string]: ParameterWithIn });
 
diff --git a/packages/respect-core/src/modules/flow-runner/resolve-x-security-parameters.ts b/packages/respect-core/src/modules/flow-runner/resolve-x-security-parameters.ts
@@ -0,0 +1,55 @@
+import { evaluateRuntimeExpressionPayload } from '../runtime-expressions/index.js';
+
+import type { ParameterWithIn } from '../config-parser/index.js';
+import type { Step, RuntimeExpressionContext } from '../../types.js';
+import type { OperationDetails } from '../description-parser/get-operation-from-description.js';
+
+export function resolveXSecurityParameters(
+  ctx: RuntimeExpressionContext,
+  step: Step,
+  operation: (OperationDetails & Record<string, any>) | undefined
+) {
+  const { 'x-security': xSecurity } = step;
+  const xSecurityParameters: ParameterWithIn[] = [];
+
+  if (!xSecurity) {
+    return xSecurityParameters;
+  }
+
+  for (const securityScheme of xSecurity) {
+    const { schemeName, scheme, values } = securityScheme;
+
+    const resolvedValues = Object.entries(values || {}).reduce<Record<string, any>>(
+      (acc, [key, value]) => ({
+        ...acc,
+        [key]: evaluateRuntimeExpressionPayload({ payload: value, context: ctx }),
+      }),
+      {}
+    );
+
+    let resolvedSchema = null;
+    if (schemeName) {
+      resolvedSchema = operation?.securitySchemes[schemeName] || null;
+    } else {
+      resolvedSchema = scheme;
+    }
+
+    // TODO: replace with the Auth algorithm functions
+    if (resolvedSchema?.type === 'apiKey' && resolvedValues?.value) {
+      xSecurityParameters.push({
+        name: resolvedSchema.name,
+        in: resolvedSchema.in,
+        value: resolvedValues.value as string | number | boolean,
+      });
+    } else if (resolvedSchema?.type === 'http' && resolvedSchema?.scheme === 'basic') {
+      const { username, password } = resolvedValues;
+      xSecurityParameters.push({
+        name: 'Authorization',
+        in: 'header',
+        value: `Basic ${Buffer.from(`${username}:${password}`).toString('base64')}`,
+      });
+    }
+  }
+
+  return xSecurityParameters;
+}

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ export function getOperationById(`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`const description = descriptions[descriptionName];`
	`35`	`+ const securitySchemes = description?.components?.securitySchemes;`
`35`	`36`	`const rootServers = description.servers;`
`36`	`37`
`37`	`38`	`for (const [path, pathDetails] of Object.entries(descriptions[descriptionName].paths)) {`
`@@ -48,6 +49,7 @@ export function getOperationById(`
`48`	`49`	`path,`
`49`	`50`	`method,`
`50`	`51`	`descriptionName,`
	`52`	`+ securitySchemes,`
`51`	`53`	`};`
`52`	`54`	`}`
`53`	`55`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,8 @@ export function getOperationByPath(`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`const description = $sourceDescriptions[descriptionName] \|\| {};`
	`41`	`+ const securitySchemes = description?.components?.securitySchemes;`
	`42`	`+`
`41`	`43`	`const [prop, path, method] = JsonPointerLib.parse(fragmentIdentifier);`
`42`	`44`
`43`	`45`	`if (prop !== 'paths') {`
`@@ -60,5 +62,6 @@ export function getOperationByPath(`
`60`	`62`	`path,`
`61`	`63`	`method,`
`62`	`64`	`descriptionName,`
	`65`	`+ securitySchemes,`
`63`	`66`	`};`
`64`	`67`	`}`