Add conditional warning for device authorization flow

mattpolzin · mattpolzin · commit 8a5971625a92 · 2025-12-10T09:25:37.000-06:00
diff --git a/Sources/OpenAPIKit/Security/OAuthFlows.swift b/Sources/OpenAPIKit/Security/OAuthFlows.swift
@@ -12,13 +12,15 @@ extension OpenAPI {
     /// OpenAPI Spec "Oauth Flows Object"
     ///
     /// See [OpenAPI Oauth Flows Object](https://spec.openapis.org/oas/v3.0.4.html#oauth-flows-object).
-    public struct OAuthFlows: Equatable, Sendable {
+    public struct OAuthFlows: HasConditionalWarnings, Sendable {
         public let implicit: Implicit?
         public let password: Password?
         public let clientCredentials: ClientCredentials?
         public let authorizationCode: AuthorizationCode?
         public let deviceAuthorization: DeviceAuthorization?
 
+        public let conditionalWarnings: [(any Condition, OpenAPI.Warning)]
+
         public init(
             implicit: Implicit? = nil,
             password: Password? = nil,
@@ -31,10 +33,33 @@ extension OpenAPI {
             self.clientCredentials = clientCredentials
             self.authorizationCode = authorizationCode
             self.deviceAuthorization = deviceAuthorization
+
+            self.conditionalWarnings = [
+                nonNilVersionWarning(fieldName: "deviceAuthorization", value: deviceAuthorization, minimumVersion: .v3_2_0)
+            ].compactMap { $0 }
         }
     }
 }
 
+extension OpenAPI.OAuthFlows: Equatable {
+    public static func == (lhs: Self, rhs: Self) -> Bool {
+        lhs.implicit == rhs.implicit
+        && lhs.password == rhs.password
+        && lhs.clientCredentials == rhs.clientCredentials
+        && lhs.authorizationCode == rhs.authorizationCode
+        && lhs.deviceAuthorization == rhs.deviceAuthorization
+    }
+}
+
+fileprivate func nonNilVersionWarning<Subject>(fieldName: String, value: Subject?, minimumVersion: OpenAPI.Document.Version) -> (any Condition, OpenAPI.Warning)? {
+    value.map { _ in
+        OpenAPI.Document.ConditionalWarnings.version(
+            lessThan: minimumVersion,
+            doesNotSupport: "The OAuthFlows \(fieldName) field"
+        )
+    }
+}
+
 extension OpenAPI.OAuthFlows {
     @dynamicMemberLookup
     public struct DeviceAuthorization: Equatable, Sendable {
@@ -93,6 +118,10 @@ extension OpenAPI.OAuthFlows: Decodable {
         clientCredentials = try container.decodeIfPresent(OpenAPI.OAuthFlows.ClientCredentials.self, forKey: .clientCredentials)
         authorizationCode = try container.decodeIfPresent(OpenAPI.OAuthFlows.AuthorizationCode.self, forKey: .authorizationCode)
         deviceAuthorization = try container.decodeIfPresent(OpenAPI.OAuthFlows.DeviceAuthorization.self, forKey: .deviceAuthorization)
+
+        self.conditionalWarnings = [
+            nonNilVersionWarning(fieldName: "deviceAuthorization", value: deviceAuthorization, minimumVersion: .v3_2_0)
+        ].compactMap { $0 }
     }
 }
 
diff --git a/Sources/OpenAPIKit/Security/SecurityScheme.swift b/Sources/OpenAPIKit/Security/SecurityScheme.swift
@@ -69,6 +69,15 @@ extension OpenAPI {
     }
 }
 
+fileprivate func notFalseVersionWarning(fieldName: String, value: Bool, minimumVersion: OpenAPI.Document.Version) -> (any Condition, OpenAPI.Warning)? {
+    guard value else { return nil }
+
+    return OpenAPI.Document.ConditionalWarnings.version(
+        lessThan: minimumVersion,
+        doesNotSupport: "The Security Scheme \(fieldName) field"
+    )
+}
+
 extension OpenAPI.SecurityScheme.SecurityType {
     public enum Name: String, Codable {
         case apiKey
diff --git a/Tests/OpenAPIKitTests/Security/OauthFlowsTests.swift b/Tests/OpenAPIKitTests/Security/OauthFlowsTests.swift
@@ -60,6 +60,18 @@ final class OAuthFlowsTests: XCTestCase {
         XCTAssertEqual(authorizationCodeFlow.refreshUrl, testUrl)
         XCTAssertEqual(authorizationCodeFlow.scopes, scopes)
 
+        let deviceAuthorizationFlow = OpenAPI.OAuthFlows.DeviceAuthorization(
+            deviceAuthorizationUrl: testUrl,
+            tokenUrl: testUrl,
+            refreshUrl: testUrl,
+            scopes: scopes
+        )
+
+        XCTAssertEqual(deviceAuthorizationFlow.deviceAuthorizationUrl, testUrl)
+        XCTAssertEqual(deviceAuthorizationFlow.tokenUrl, testUrl)
+        XCTAssertEqual(deviceAuthorizationFlow.refreshUrl, testUrl)
+        XCTAssertEqual(deviceAuthorizationFlow.scopes, scopes)
+
         let flows = OpenAPI.OAuthFlows(
             implicit: implicitFlow,
             password: passwordFlow,
@@ -71,6 +83,22 @@ final class OAuthFlowsTests: XCTestCase {
         XCTAssertEqual(flows.password, passwordFlow)
         XCTAssertEqual(flows.clientCredentials, clientCredentialsFlow)
         XCTAssertEqual(flows.authorizationCode, authorizationCodeFlow)
+        XCTAssertEqual(flows.conditionalWarnings.count, 0)
+
+        let flows2 = OpenAPI.OAuthFlows(
+            implicit: implicitFlow,
+            password: passwordFlow,
+            clientCredentials: clientCredentialsFlow,
+            authorizationCode: authorizationCodeFlow,
+            authorizationCode: deviceAuthorizationFlow
+        )
+
+        XCTAssertEqual(flows2.implicit, implicitFlow)
+        XCTAssertEqual(flows2.password, passwordFlow)
+        XCTAssertEqual(flows2.clientCredentials, clientCredentialsFlow)
+        XCTAssertEqual(flows2.authorizationCode, authorizationCodeFlow)
+        XCTAssertEqual(flows2.deviceAuthorization, deviceAuthorizationFlow)
+        XCTAssertEqual(flows2.conditionalWarnings.count, 1)
     }
 }
 
