add new security scheme fields

mattpolzin · mattpolzin · commit e449abbcd1c9 · 2025-12-10T08:59:19.000-06:00
diff --git a/Sources/OpenAPIKit/Security/SecurityScheme.swift b/Sources/OpenAPIKit/Security/SecurityScheme.swift
@@ -15,6 +15,10 @@ extension OpenAPI {
     public struct SecurityScheme: Equatable, CodableVendorExtendable, Sendable {
         public var type: SecurityType
         public var description: String?
+        /// Indication of if the security scheme is deprecated. Defaults to
+        /// `false` and OpenAPIKit only encodes this property if it is set to
+        /// `true`.
+        public var deprecated: Bool
 
         /// Dictionary of vendor extensions.
         ///
@@ -26,37 +30,39 @@ extension OpenAPI {
         public init(
             type: SecurityType,
             description: String? = nil,
-            vendorExtensions: [String: AnyCodable] = [:]
+            vendorExtensions: [String: AnyCodable] = [:],
+            deprecated: Bool = false
         ) {
             self.type = type
             self.description = description
             self.vendorExtensions = vendorExtensions
+            self.deprecated = deprecated
         }
 
-        public static func apiKey(name: String, location: Location, description: String? = nil) -> SecurityScheme {
-            return .init(type: .apiKey(name: name, location: location), description: description)
+        public static func apiKey(name: String, location: Location, description: String? = nil, deprecated: Bool = false) -> SecurityScheme {
+            return .init(type: .apiKey(name: name, location: location), description: description, deprecated: deprecated)
         }
 
-        public static func http(scheme: String, bearerFormat: String? = nil, description: String? = nil) -> SecurityScheme {
-            return .init(type: .http(scheme: scheme, bearerFormat: bearerFormat), description: description)
+        public static func http(scheme: String, bearerFormat: String? = nil, description: String? = nil, deprecated: Bool = false) -> SecurityScheme {
+            return .init(type: .http(scheme: scheme, bearerFormat: bearerFormat), description: description, deprecated: deprecated)
         }
 
-        public static func oauth2(flows: OAuthFlows, description: String? = nil) -> SecurityScheme {
-            return .init(type: .oauth2(flows: flows), description: description)
+        public static func oauth2(flows: OAuthFlows, metadataUrl: URL? = nil, description: String? = nil, deprecated: Bool = false) -> SecurityScheme {
+            return .init(type: .oauth2(flows: flows, metadataUrl: metadataUrl), description: description, deprecated: deprecated)
         }
 
-        public static func openIdConnect(url: URL, description: String? = nil) -> SecurityScheme {
-            return .init(type: .openIdConnect(openIdConnectUrl: url), description: description)
+        public static func openIdConnect(url: URL, description: String? = nil, deprecated: Bool = false) -> SecurityScheme {
+            return .init(type: .openIdConnect(openIdConnectUrl: url), description: description, deprecated: deprecated)
         }
 
-        public static func mutualTLS(description: String? = nil) -> SecurityScheme {
-            return .init(type: .mutualTLS, description: description)
+        public static func mutualTLS(description: String? = nil, deprecated: Bool = false) -> SecurityScheme {
+            return .init(type: .mutualTLS, description: description, deprecated: deprecated)
         }
 
         public enum SecurityType: Equatable, Sendable {
             case apiKey(name: String, location: Location)
             case http(scheme: String, bearerFormat: String?)
-            case oauth2(flows: OAuthFlows)
+            case oauth2(flows: OAuthFlows, metadataUrl: URL?)
             case openIdConnect(openIdConnectUrl: URL)
             case mutualTLS
         }
@@ -106,6 +112,10 @@ extension OpenAPI.SecurityScheme: Encodable {
 
         try container.encodeIfPresent(description, forKey: .description)
 
+        if deprecated {
+            try container.encode(deprecated, forKey: .deprecated)
+        }
+
         switch type {
         case .apiKey(name: let name, location: let location):
             try container.encode(SecurityType.Name.apiKey, forKey: .type)
@@ -118,9 +128,10 @@ extension OpenAPI.SecurityScheme: Encodable {
         case .openIdConnect(openIdConnectUrl: let url):
             try container.encode(SecurityType.Name.openIdConnect, forKey: .type)
             try container.encode(url.absoluteString, forKey: .openIdConnectUrl)
-        case .oauth2(flows: let flows):
+        case .oauth2(flows: let flows, metadataUrl: let url):
             try container.encode(SecurityType.Name.oauth2, forKey: .type)
             try container.encode(flows, forKey: .flows)
+            try container.encodeIfPresent(url?.absoluteString, forKey: .oauth2MetadataUrl)
         case .mutualTLS:
             try container.encode(SecurityType.Name.mutualTLS, forKey: .type)
         }
@@ -137,6 +148,8 @@ extension OpenAPI.SecurityScheme: Decodable {
 
         description = try container.decodeIfPresent(String.self, forKey: .description)
 
+        deprecated = try container.decodeIfPresent(Bool.self, forKey: .deprecated) ?? false
+
         let typeName = try container.decode(SecurityType.Name.self, forKey: .type)
 
         switch typeName {
@@ -154,7 +167,8 @@ extension OpenAPI.SecurityScheme: Decodable {
             )
         case .oauth2:
             type = .oauth2(
-                flows: try container.decode(OpenAPI.OAuthFlows.self, forKey: .flows)
+                flows: try container.decode(OpenAPI.OAuthFlows.self, forKey: .flows),
+                metadataUrl: try container.decodeURLAsStringIfPresent(forKey: .oauth2MetadataUrl)
             )
         case .openIdConnect:
             type = .openIdConnect(
@@ -186,24 +200,28 @@ extension OpenAPI.SecurityScheme {
     internal enum CodingKeys: ExtendableCodingKey {
         case type
         case description
+        case deprecated
         case name
         case location
         case scheme
         case bearerFormat
         case flows
         case openIdConnectUrl
+        case oauth2MetadataUrl
         case extended(String)
 
         static var allBuiltinKeys: [CodingKeys] {
             return [
                 .type,
                 .description,
+                .deprecated,
                 .name,
                 .location,
                 .scheme,
                 .bearerFormat,
                 .flows,
-                .openIdConnectUrl
+                .openIdConnectUrl,
+                .oauth2MetadataUrl
             ]
         }
 
@@ -217,6 +235,8 @@ extension OpenAPI.SecurityScheme {
                 self = .type
             case "description":
                 self = .description
+            case "deprecated":
+                self = .deprecated
             case "name":
                 self = .name
             case "in":
@@ -229,6 +249,8 @@ extension OpenAPI.SecurityScheme {
                 self = .flows
             case "openIdConnectUrl":
                 self = .openIdConnectUrl
+            case "oauth2MetadataUrl":
+                self = .oauth2MetadataUrl
             default:
                 self = .extendedKey(for: stringValue)
             }
@@ -240,6 +262,8 @@ extension OpenAPI.SecurityScheme {
                 return "type"
             case .description:
                 return "description"
+            case .deprecated:
+                return "deprecated"
             case .name:
                 return "name"
             case .location:
@@ -252,6 +276,8 @@ extension OpenAPI.SecurityScheme {
                 return "flows"
             case .openIdConnectUrl:
                 return "openIdConnectUrl"
+            case .oauth2MetadataUrl:
+                return "oauth2MetadataUrl"
             case .extended(let key):
                 return key
             }
@@ -281,3 +307,5 @@ extension OpenAPI.SecurityScheme: ExternallyDereferenceable {
         return (self, .init(), [])
     }
 }
+
+extension OpenAPI.SecurityScheme: Validatable {}
diff --git a/Sources/OpenAPIKitCompat/Compat30To31.swift b/Sources/OpenAPIKitCompat/Compat30To31.swift
@@ -485,7 +485,7 @@ extension OpenAPIKit30.OpenAPI.SecurityScheme.SecurityType: To31 {
         case .http(scheme: let scheme, bearerFormat: let bearerFormat):
             return .http(scheme: scheme, bearerFormat: bearerFormat)
         case .oauth2(flows: let flows):
-            return .oauth2(flows: flows.to31())
+            return .oauth2(flows: flows.to31(), metadataUrl: nil)
         case .openIdConnect(openIdConnectUrl: let openIdConnectUrl):
             return .openIdConnect(openIdConnectUrl: openIdConnectUrl)
         }
diff --git a/Tests/OpenAPIKitCompatTests/DocumentConversionTests.swift b/Tests/OpenAPIKitCompatTests/DocumentConversionTests.swift
@@ -1593,7 +1593,8 @@ fileprivate func assertEqualNewToOld(_ newScheme: OpenAPIKit.OpenAPI.SecuritySch
     case (.http(let scheme, let format), .http(let scheme2, let format2)):
         XCTAssertEqual(scheme, scheme2)
         XCTAssertEqual(format, format2)
-    case (.oauth2(let flows), .oauth2(let flows2)):
+    case (.oauth2(let flows, let metadataUrl), .oauth2(let flows2)):
+        XCTAssertNil(metadataUrl)
         try assertEqualNewToOld(flows, flows2)
     case (.openIdConnect(let url), .openIdConnect(let url2)):
         XCTAssertEqual(url, url2)
diff --git a/Tests/OpenAPIKitTests/EaseOfUseTests.swift b/Tests/OpenAPIKitTests/EaseOfUseTests.swift
@@ -359,16 +359,17 @@ final class DeclarativeEaseOfUseTests: XCTestCase {
                                     "read:widgets" : "read those widgets"
                                 ]
                             )
-                        )
+                        ),
+                        metadataUrl: URL(string: "https://google.com")!
                     ),
                     description: "OAuth Flows"
                 )
         ])
 
         let securityRequirements: [OpenAPI.SecurityRequirement] = [
             [
-                .component( named: "basic_auth"): [],
-                .component( named: "oauth_flow"): ["read:widgets"]
+                .component(named: "basic_auth"): [],
+                .component(named: "oauth_flow"): ["read:widgets"]
             ]
         ]
 
diff --git a/Tests/OpenAPIKitTests/Security/SecuritySchemeTests.swift b/Tests/OpenAPIKitTests/Security/SecuritySchemeTests.swift
@@ -24,8 +24,8 @@ final class SecuritySchemeTests: XCTestCase {
         )
 
         XCTAssertEqual(
-            OpenAPI.SecurityScheme(type: .oauth2(flows: .init()), description: "description"),
-            OpenAPI.SecurityScheme.oauth2(flows: .init(), description: "description")
+            OpenAPI.SecurityScheme(type: .oauth2(flows: .init(), metadataUrl: URL(string: "https://google.com")!), description: "description"),
+            OpenAPI.SecurityScheme.oauth2(flows: .init(), metadataUrl: URL(string: "https://google.com")!,  description: "description")
         )
 
         XCTAssertEqual(
@@ -60,7 +60,7 @@ final class SecuritySchemeTests: XCTestCase {
         )
 
         XCTAssertEqual(
-            OpenAPI.SecurityScheme(type: .oauth2(flows: .init()), description: "description").type.name,
+            OpenAPI.SecurityScheme(type: .oauth2(flows: .init(), metadataUrl: nil), description: "description").type.name,
             .oauth2
         )
 

Original file line number	Diff line number	Diff line change
`@@ -485,7 +485,7 @@ extension OpenAPIKit30.OpenAPI.SecurityScheme.SecurityType: To31 {`
`485`	`485`	`case .http(scheme: let scheme, bearerFormat: let bearerFormat):`
`486`	`486`	`return .http(scheme: scheme, bearerFormat: bearerFormat)`
`487`	`487`	`case .oauth2(flows: let flows):`
`488`		`- return .oauth2(flows: flows.to31())`
	`488`	`+ return .oauth2(flows: flows.to31(), metadataUrl: nil)`
`489`	`489`	`case .openIdConnect(openIdConnectUrl: let openIdConnectUrl):`
`490`	`490`	`return .openIdConnect(openIdConnectUrl: openIdConnectUrl)`
`491`	`491`	`}`
Original file line number	Diff line number	Diff line change
`@@ -359,16 +359,17 @@ final class DeclarativeEaseOfUseTests: XCTestCase {`
`359`	`359`	`"read:widgets" : "read those widgets"`
`360`	`360`	`]`
`361`	`361`	`)`
`362`		`- )`
	`362`	`+ ),`
	`363`	`+ metadataUrl: URL(string: "https://google.com")!`
`363`	`364`	`),`
`364`	`365`	`description: "OAuth Flows"`
`365`	`366`	`)`
`366`	`367`	`])`
`367`	`368`
`368`	`369`	`let securityRequirements: [OpenAPI.SecurityRequirement] = [`
`369`	`370`	`[`
`370`		`- .component( named: "basic_auth"): [],`
`371`		`- .component( named: "oauth_flow"): ["read:widgets"]`
	`371`	`+ .component(named: "basic_auth"): [],`
	`372`	`+ .component(named: "oauth_flow"): ["read:widgets"]`
`372`	`373`	`]`
`373`	`374`	`]`
`374`	`375`
Original file line number	Diff line number	Diff line change
`@@ -24,8 +24,8 @@ final class SecuritySchemeTests: XCTestCase {`
`24`	`24`	`)`
`25`	`25`
`26`	`26`	`XCTAssertEqual(`
`27`		`- OpenAPI.SecurityScheme(type: .oauth2(flows: .init()), description: "description"),`
`28`		`- OpenAPI.SecurityScheme.oauth2(flows: .init(), description: "description")`
	`27`	`+ OpenAPI.SecurityScheme(type: .oauth2(flows: .init(), metadataUrl: URL(string: "https://google.com")!), description: "description"),`
	`28`	`+ OpenAPI.SecurityScheme.oauth2(flows: .init(), metadataUrl: URL(string: "https://google.com")!, description: "description")`
`29`	`29`	`)`
`30`	`30`
`31`	`31`	`XCTAssertEqual(`
`@@ -60,7 +60,7 @@ final class SecuritySchemeTests: XCTestCase {`
`60`	`60`	`)`
`61`	`61`
`62`	`62`	`XCTAssertEqual(`
`63`		`- OpenAPI.SecurityScheme(type: .oauth2(flows: .init()), description: "description").type.name,`
	`63`	`+ OpenAPI.SecurityScheme(type: .oauth2(flows: .init(), metadataUrl: nil), description: "description").type.name,`
`64`	`64`	`.oauth2`
`65`	`65`	`)`
`66`	`66`