feat: Add missed authentication options to OpenAPI spec (#2967)

asvishnyakov · web-flow · commit f4e41d90d720 · 2025-12-11T11:09:00.000+02:00
diff --git a/src/VirtoCommerce.Platform.Web/Swagger/SwaggerServiceCollectionExtensions.cs b/src/VirtoCommerce.Platform.Web/Swagger/SwaggerServiceCollectionExtensions.cs
@@ -85,7 +85,6 @@ public static void AddSwagger(this IServiceCollection services, IConfiguration c
                 c.OperationFilter<FileResponseTypeFilter>();
                 c.OperationFilter<OptionalParametersFilter>();
                 c.OperationFilter<ArrayInQueryParametersFilter>();
-                c.OperationFilter<SecurityRequirementsOperationFilter>();
                 c.OperationFilter<ModuleInfoFilter>();
                 c.OperationFilter<OpenIDEndpointDescriptionFilter>();
                 c.SchemaFilter<EnumSchemaFilter>();
@@ -94,18 +93,8 @@ public static void AddSwagger(this IServiceCollection services, IConfiguration c
                 c.AddModulesXmlComments(provider);
                 c.CustomOperationIds(apiDesc =>
                     apiDesc.TryGetMethodInfo(out var methodInfo) ? $"{((ControllerActionDescriptor)apiDesc.ActionDescriptor).ControllerName}_{methodInfo.Name}" : null);
-                c.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
-                {
-                    Type = SecuritySchemeType.OAuth2,
-                    Description = "OAuth2 Resource Owner Password Grant flow",
-                    Flows = new OpenApiOAuthFlows
-                    {
-                        Password = new OpenApiOAuthFlow
-                        {
-                            TokenUrl = new Uri("/connect/token", UriKind.Relative)
-                        }
-                    },
-                });
+
+                c.AddSecuritySchemes();
 
                 c.DocInclusionPredicate((docName, apiDesc) => DocInclusionPredicateCustomStrategy(modules, docName, apiDesc));
                 c.ResolveConflictingActions(apiDescriptions => apiDescriptions.First());
@@ -250,5 +239,62 @@ private static void AddModulesXmlComments(this SwaggerGenOptions options, Servic
                 }
             }
         }
+
+        /// <summary>
+        /// Add security schemes definitions and operation filters for authentication
+        /// </summary>
+        private static void AddSecuritySchemes(this SwaggerGenOptions options)
+        {
+            options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
+            {
+                Type = SecuritySchemeType.OAuth2,
+                Description = "OAuth2 Resource Owner Password Grant flow",
+                Flows = new OpenApiOAuthFlows
+                {
+                    ClientCredentials = new OpenApiOAuthFlow
+                    {
+                        TokenUrl = new Uri("/connect/token", UriKind.Relative)
+                    },
+                    Password = new OpenApiOAuthFlow
+                    {
+                        TokenUrl = new Uri("/connect/token", UriKind.Relative)
+                    }
+                },
+            });
+            options.AddSecurityDefinition("api_key", new OpenApiSecurityScheme
+            {
+                Type = SecuritySchemeType.ApiKey,
+                Description = "API Key authentication",
+                In = ParameterLocation.Query,
+                Name = "api_key",
+            });
+            options.AddSecurityDefinition("api_key_header", new OpenApiSecurityScheme
+            {
+                Type = SecuritySchemeType.ApiKey,
+                Description = "API Key authentication (alternative via header)",
+                In = ParameterLocation.Header,
+                Name = "api_key",
+            });
+            options.AddSecurityDefinition("http-signature", new OpenApiSecurityScheme
+            {
+                Type = SecuritySchemeType.Http,
+                Scheme = "signature",
+                Description = "HTTP Signature authentication using Authorization header",
+            });
+            options.AddSecurityDefinition("basic", new OpenApiSecurityScheme
+            {
+                Type = SecuritySchemeType.Http,
+                Scheme = "basic",
+                Description = "Basic authentication using username and password",
+            });
+
+            // Register SecurityRequirementsOperationFilter for each security scheme
+            // This allows API clients to use any of the supported authentication methods
+            options.OperationFilter<SecurityRequirementsOperationFilter>(true, "oauth2");
+            options.OperationFilter<SecurityRequirementsOperationFilter>(true, "api_key");
+            options.OperationFilter<SecurityRequirementsOperationFilter>(true, "api_key_header");
+            options.OperationFilter<SecurityRequirementsOperationFilter>(true, "http-signature");
+            options.OperationFilter<SecurityRequirementsOperationFilter>(true, "basic");
+        }
     }
 }
