From a8bcec5abb5b1b910726ec5b1150a3c00ab55b43 Mon Sep 17 00:00:00 2001
From: Jean-Marc Le Roux <jeanmarc@lx.industries>
Date: Sun, 14 Sep 2025 16:35:16 +0200
Subject: [PATCH] feat: add inline security scope display for API endpoints

- Created ScopeDisplay component to show security requirements inline
- Supports all security schemes (OAuth2, OpenID, API Key, Bearer, Basic, etc.)
- Shows scopes/requirements next to the padlock icon for each endpoint
- Displays AND/OR logic clearly for multiple security schemes
- Added responsive styling with badges and scope pills
- Includes comprehensive unit tests

Addresses long-standing issue #5062 - users can now see required
scopes at a glance without clicking the padlock icon.
---
 src/core/components/auth/scope-display.jsx    | 130 +++++++++
 src/core/components/operation-summary.jsx     |  25 +-
 src/core/plugins/auth/selectors.js            |  49 ++++
 .../base/plugins/core-components/index.js     |   2 +
 src/style/_authorize.scss                     |  95 +++++++
 test/unit/components/auth/scope-display.jsx   | 267 ++++++++++++++++++
 6 files changed, 561 insertions(+), 7 deletions(-)
 create mode 100644 src/core/components/auth/scope-display.jsx
 create mode 100644 test/unit/components/auth/scope-display.jsx

diff --git a/src/core/components/auth/scope-display.jsx b/src/core/components/auth/scope-display.jsx
new file mode 100644
index 00000000000..b7f169b0583
--- /dev/null
+++ b/src/core/components/auth/scope-display.jsx
@@ -0,0 +1,130 @@
+import React from "react"
+import PropTypes from "prop-types"
+import ImPropTypes from "react-immutable-proptypes"
+
+export default class ScopeDisplay extends React.Component {
+  static propTypes = {
+    security: ImPropTypes.iterable,
+    authSelectors: PropTypes.object.isRequired,
+    authDefinitions: ImPropTypes.iterable,
+    specSelectors: PropTypes.object.isRequired
+  }
+
+  extractSecurityRequirements = (security) => {
+    if (!security || !security.count()) {
+      return null
+    }
+
+    const requirements = []
+
+    // Each item in security array represents an OR condition
+    security.forEach((requirement) => {
+      const schemes = []
+
+      // Each entry in a requirement represents an AND condition
+      requirement.forEach((scopes, schemeName) => {
+        const schemeData = {
+          name: schemeName,
+          scopes: []
+        }
+
+        // Handle different security scheme types
+        if (scopes && scopes.size > 0) {
+          // For OAuth2, OpenID Connect, or any scheme with scopes
+          schemeData.scopes = scopes.toJS()
+        }
+
+        schemes.push(schemeData)
+      })
+
+      requirements.push(schemes)
+    })
+
+    return requirements
+  }
+
+  formatNonOptionalRequirements = (requirements) => {
+    return requirements.map((requirementGroup, idx) => {
+      const isLastGroup = idx === requirements.length - 1
+
+      return (
+        <span key={idx} className="opblock-security-requirement-group">
+          {requirementGroup.map((scheme, schemeIdx) => {
+            const isLastInGroup = schemeIdx === requirementGroup.length - 1
+
+            return (
+              <span key={schemeIdx} className="opblock-security-requirement">
+                <span className="opblock-security-scheme-name">{scheme.name}</span>
+                {scheme.scopes.length > 0 && (
+                  <span className="opblock-security-scope-list">
+                    {" ("}
+                    {scheme.scopes.map((scope, scopeIdx) => (
+                      <React.Fragment key={scopeIdx}>
+                        <code className="opblock-security-scope">
+                          {scope}
+                        </code>
+                        {scopeIdx < scheme.scopes.length - 1 ? ", " : ""}
+                      </React.Fragment>
+                    ))}
+                    {")"}
+                  </span>
+                )}
+                {!isLastInGroup && (
+                  <span className="opblock-security-operator"> + </span>
+                )}
+              </span>
+            )
+          })}
+          {!isLastGroup && (
+            <span className="opblock-security-operator"> OR </span>
+          )}
+        </span>
+      )
+    })
+  }
+
+  formatSecurityDisplay = (requirements) => {
+    if (!requirements || requirements.length === 0) {
+      return null
+    }
+
+    // Check if this is optional security (empty object in array)
+    if (requirements.length === 1 && requirements[0].length === 0) {
+      return <span className="opblock-security-requirement opblock-security-optional">Optional</span>
+    }
+
+    // Check for optional security pattern (one empty and others with auth)
+    const hasEmptyRequirement = requirements.some(req => req.length === 0)
+    const hasNonEmptyRequirement = requirements.some(req => req.length > 0)
+
+    if (hasEmptyRequirement && hasNonEmptyRequirement) {
+      // Filter out empty requirements and add optional label
+      const nonEmptyRequirements = requirements.filter(req => req.length > 0)
+      return (
+        <React.Fragment>
+          <span className="opblock-security-requirement opblock-security-optional">Optional</span>
+          <span className="opblock-security-operator"> OR </span>
+          {this.formatNonOptionalRequirements(nonEmptyRequirements)}
+        </React.Fragment>
+      )
+    }
+
+    return this.formatNonOptionalRequirements(requirements)
+  }
+
+  render() {
+    const { security } = this.props
+    const requirements = this.extractSecurityRequirements(security)
+    const display = this.formatSecurityDisplay(requirements)
+
+    if (!display) {
+      return null
+    }
+
+    return (
+      <div className="opblock-security-display">
+        {display}
+      </div>
+    )
+  }
+}
\ No newline at end of file
diff --git a/src/core/components/operation-summary.jsx b/src/core/components/operation-summary.jsx
index d31f56d3f9c..90881f50f4c 100644
--- a/src/core/components/operation-summary.jsx
+++ b/src/core/components/operation-summary.jsx
@@ -16,6 +16,7 @@ export default class OperationSummary extends PureComponent {
     getConfigs: PropTypes.func.isRequired,
     authActions: PropTypes.object,
     authSelectors: PropTypes.object,
+    specSelectors: PropTypes.object,
   }
 
   static defaultProps = {
@@ -32,6 +33,7 @@ export default class OperationSummary extends PureComponent {
       getComponent,
       authActions,
       authSelectors,
+      specSelectors,
       operationProps,
       specPath,
     } = this.props
@@ -55,6 +57,7 @@ export default class OperationSummary extends PureComponent {
     let security = operationProps.get("security")
 
     const AuthorizeOperationBtn = getComponent("authorizeOperationBtn", true)
+    const ScopeDisplay = getComponent("ScopeDisplay", true)
     const OperationSummaryMethod = getComponent("OperationSummaryMethod")
     const OperationSummaryPath = getComponent("OperationSummaryPath")
     const JumpToPath = getComponent("JumpToPath", true)
@@ -88,13 +91,21 @@ export default class OperationSummary extends PureComponent {
         <CopyToClipboardBtn textToCopy={`${specPath.get(1)}`} />
         {
           allowAnonymous ? null :
-            <AuthorizeOperationBtn
-              isAuthorized={isAuthorized}
-              onClick={() => {
-                const applicableDefinitions = authSelectors.definitionsForRequirements(security)
-                authActions.showDefinitions(applicableDefinitions)
-              }}
-            />
+            <div className="opblock-auth-wrapper">
+              <ScopeDisplay
+                security={security}
+                authSelectors={authSelectors}
+                authDefinitions={authSelectors.definitionsToAuthorize()}
+                specSelectors={specSelectors}
+              />
+              <AuthorizeOperationBtn
+                isAuthorized={isAuthorized}
+                onClick={() => {
+                  const applicableDefinitions = authSelectors.definitionsForRequirements(security)
+                  authActions.showDefinitions(applicableDefinitions)
+                }}
+              />
+            </div>
         }
         <JumpToPath path={specPath} />{/* TODO: use wrapComponents here, swagger-ui doesn't care about jumpToPath */}
         <button
diff --git a/src/core/plugins/auth/selectors.js b/src/core/plugins/auth/selectors.js
index d987bb09292..60427427eb3 100644
--- a/src/core/plugins/auth/selectors.js
+++ b/src/core/plugins/auth/selectors.js
@@ -119,3 +119,52 @@ export const getConfigs = createSelector(
     state,
     auth => auth.get( "configs" )
 )
+
+export const getSecurityRequirementsForOperation = (state, securities) => ({ specSelectors }) => {
+  if (!securities || !securities.count()) {
+    return null
+  }
+
+  const securityDefinitions = specSelectors.securityDefinitions() || Map({})
+  const requirements = []
+
+  securities.forEach((requirement) => {
+    const schemes = []
+
+    requirement.forEach((scopes, schemeName) => {
+      const definition = securityDefinitions.get(schemeName)
+
+      if (definition) {
+        const schemeInfo = {
+          name: schemeName,
+          type: definition.get("type"),
+          scopes: scopes ? scopes.toJS() : [],
+          description: definition.get("description")
+        }
+
+        // Add scheme-specific metadata
+        if (definition.get("type") === "oauth2") {
+          schemeInfo.flow = definition.get("flow")
+          schemeInfo.authorizationUrl = definition.get("authorizationUrl")
+          schemeInfo.tokenUrl = definition.get("tokenUrl")
+        } else if (definition.get("type") === "openIdConnect") {
+          schemeInfo.openIdConnectUrl = definition.get("openIdConnectUrl")
+        } else if (definition.get("type") === "apiKey") {
+          schemeInfo.in = definition.get("in")
+          schemeInfo.name = definition.get("name")
+        } else if (definition.get("type") === "http") {
+          schemeInfo.scheme = definition.get("scheme")
+          schemeInfo.bearerFormat = definition.get("bearerFormat")
+        }
+
+        schemes.push(schemeInfo)
+      }
+    })
+
+    if (schemes.length > 0) {
+      requirements.push(schemes)
+    }
+  })
+
+  return requirements
+}
diff --git a/src/core/presets/base/plugins/core-components/index.js b/src/core/presets/base/plugins/core-components/index.js
index 048bc576e46..c422de6d482 100644
--- a/src/core/presets/base/plugins/core-components/index.js
+++ b/src/core/presets/base/plugins/core-components/index.js
@@ -6,6 +6,7 @@ import AuthorizationPopup from "core/components/auth/authorization-popup"
 import AuthorizeBtn from "core/components/auth/authorize-btn"
 import AuthorizeBtnContainer from "core/containers/authorize-btn"
 import AuthorizeOperationBtn from "core/components/auth/authorize-operation-btn"
+import ScopeDisplay from "core/components/auth/scope-display"
 import Auths from "core/components/auth/auths"
 import AuthItem from "core/components/auth/auth-item"
 import AuthError from "core/components/auth/error"
@@ -68,6 +69,7 @@ const CoreComponentsPlugin = () => ({
     authorizeBtn: AuthorizeBtn,
     AuthorizeBtnContainer,
     authorizeOperationBtn: AuthorizeOperationBtn,
+    ScopeDisplay,
     auths: Auths,
     AuthItem: AuthItem,
     authError: AuthError,
diff --git a/src/style/_authorize.scss b/src/style/_authorize.scss
index f2e048610ed..0bab375175b 100644
--- a/src/style/_authorize.scss
+++ b/src/style/_authorize.scss
@@ -94,3 +94,98 @@
 .scope-def {
   padding: 0 0 20px 0;
 }
+
+// Security requirements display in operation summary
+.opblock-auth-wrapper {
+  display: inline-flex;
+  align-items: center;
+  gap: 5px;
+
+  // Add left padding to scope display (replaces the auth button's padding)
+  .opblock-security-display:first-child {
+    padding-left: 10px;
+  }
+
+  // Remove left padding from auth button when preceded by scope display
+  .opblock-security-display + .authorization__btn {
+    padding-left: 0;
+  }
+}
+
+.opblock-security-display {
+  display: inline-flex;
+  align-items: center;
+  font-size: 12px;
+  flex-wrap: wrap;
+  gap: 4px;
+}
+
+.opblock-security-requirement-group {
+  display: inline-flex;
+  align-items: center;
+  gap: 4px;
+}
+
+.opblock-security-requirement {
+  display: inline-flex;
+  align-items: center;
+  background-color: rgba(#61affe, 0.1);
+  padding: 2px 8px;
+  border-radius: 4px;
+  border: 1px solid rgba(#61affe, 0.3);
+}
+
+.opblock-security-optional {
+  background-color: rgba(#73d13d, 0.1);
+  border-color: rgba(#73d13d, 0.3);
+  color: #52c41a;
+  font-style: italic;
+}
+
+.opblock-security-scheme-name {
+  font-weight: 600;
+  color: #1890ff;
+  margin-right: 2px;
+}
+
+.opblock-security-scope-list {
+  display: inline-flex;
+  align-items: center;
+  color: #595959;
+}
+
+.opblock-security-scope {
+  background-color: #f0f0f0;
+  padding: 1px 4px;
+  border-radius: 2px;
+  font-size: 11px;
+  margin: 0 2px;
+  color: #333;
+  font-family: monospace;
+}
+
+.opblock-security-operator {
+  color: #8c8c8c;
+  font-weight: 600;
+  padding: 0 4px;
+  font-size: 11px;
+  text-transform: uppercase;
+}
+
+// Responsive design for mobile
+@media (max-width: 768px) {
+  .opblock-auth-wrapper {
+    display: block;
+    margin-top: 5px;
+  }
+
+  .opblock-security-display {
+    display: block;
+    margin-top: 5px;
+  }
+
+  .opblock-security-requirement-group {
+    display: block;
+    margin-bottom: 4px;
+  }
+}
diff --git a/test/unit/components/auth/scope-display.jsx b/test/unit/components/auth/scope-display.jsx
new file mode 100644
index 00000000000..d47a8b13e41
--- /dev/null
+++ b/test/unit/components/auth/scope-display.jsx
@@ -0,0 +1,267 @@
+import React from "react"
+import { shallow } from "enzyme"
+import { fromJS } from "immutable"
+import ScopeDisplay from "core/components/auth/scope-display"
+
+describe("<ScopeDisplay/>", function() {
+  const mockAuthSelectors = {
+    definitionsToAuthorize: jest.fn(() => fromJS([]))
+  }
+
+  const mockSpecSelectors = {
+    securityDefinitions: jest.fn(() => fromJS({}))
+  }
+
+  describe("OAuth2 scopes", function() {
+    it("should display OAuth2 scopes correctly", function() {
+      const security = fromJS([
+        {
+          "OAuth2": ["read:api", "write:api"]
+        }
+      ])
+
+      const wrapper = shallow(
+        <ScopeDisplay
+          security={security}
+          authSelectors={mockAuthSelectors}
+          specSelectors={mockSpecSelectors}
+        />
+      )
+
+      expect(wrapper.find(".opblock-security-display").length).toEqual(1)
+      expect(wrapper.find(".opblock-security-scheme-name").text()).toEqual("OAuth2")
+      expect(wrapper.find(".opblock-security-scope").length).toEqual(2)
+      expect(wrapper.find(".opblock-security-scope").at(0).text()).toEqual("read:api")
+      expect(wrapper.find(".opblock-security-scope").at(1).text()).toEqual("write:api")
+    })
+
+    it("should display OAuth2 with empty scopes", function() {
+      const security = fromJS([
+        {
+          "OAuth2": []
+        }
+      ])
+
+      const wrapper = shallow(
+        <ScopeDisplay
+          security={security}
+          authSelectors={mockAuthSelectors}
+          specSelectors={mockSpecSelectors}
+        />
+      )
+
+      expect(wrapper.find(".opblock-security-display").length).toEqual(1)
+      expect(wrapper.find(".opblock-security-scheme-name").text()).toEqual("OAuth2")
+      expect(wrapper.find(".opblock-security-scope").length).toEqual(0)
+    })
+  })
+
+  describe("Multiple security schemes", function() {
+    it("should display OR logic between security requirements", function() {
+      const security = fromJS([
+        {
+          "OAuth2": ["read:api"]
+        },
+        {
+          "ApiKey": []
+        }
+      ])
+
+      const wrapper = shallow(
+        <ScopeDisplay
+          security={security}
+          authSelectors={mockAuthSelectors}
+          specSelectors={mockSpecSelectors}
+        />
+      )
+
+      expect(wrapper.find(".opblock-security-requirement-group").length).toEqual(2)
+      expect(wrapper.find(".opblock-security-operator").text()).toContain("OR")
+    })
+
+    it("should display AND logic within a security requirement", function() {
+      const security = fromJS([
+        {
+          "OAuth2": ["read:api"],
+          "ApiKey": []
+        }
+      ])
+
+      const wrapper = shallow(
+        <ScopeDisplay
+          security={security}
+          authSelectors={mockAuthSelectors}
+          specSelectors={mockSpecSelectors}
+        />
+      )
+
+      expect(wrapper.find(".opblock-security-requirement-group").length).toEqual(1)
+      expect(wrapper.find(".opblock-security-requirement").length).toEqual(2)
+      expect(wrapper.find(".opblock-security-operator").at(0).text()).toContain("+")
+    })
+  })
+
+  describe("Other security schemes", function() {
+    it("should display API Key authentication", function() {
+      const security = fromJS([
+        {
+          "ApiKeyAuth": []
+        }
+      ])
+
+      const wrapper = shallow(
+        <ScopeDisplay
+          security={security}
+          authSelectors={mockAuthSelectors}
+          specSelectors={mockSpecSelectors}
+        />
+      )
+
+      expect(wrapper.find(".opblock-security-scheme-name").text()).toEqual("ApiKeyAuth")
+      expect(wrapper.find(".opblock-security-scope").length).toEqual(0)
+    })
+
+    it("should display Bearer authentication", function() {
+      const security = fromJS([
+        {
+          "BearerAuth": []
+        }
+      ])
+
+      const wrapper = shallow(
+        <ScopeDisplay
+          security={security}
+          authSelectors={mockAuthSelectors}
+          specSelectors={mockSpecSelectors}
+        />
+      )
+
+      expect(wrapper.find(".opblock-security-scheme-name").text()).toEqual("BearerAuth")
+    })
+
+    it("should display Basic authentication", function() {
+      const security = fromJS([
+        {
+          "BasicAuth": []
+        }
+      ])
+
+      const wrapper = shallow(
+        <ScopeDisplay
+          security={security}
+          authSelectors={mockAuthSelectors}
+          specSelectors={mockSpecSelectors}
+        />
+      )
+
+      expect(wrapper.find(".opblock-security-scheme-name").text()).toEqual("BasicAuth")
+    })
+
+    it("should display OpenID Connect with scopes", function() {
+      const security = fromJS([
+        {
+          "OpenIDConnect": ["openid", "profile", "email"]
+        }
+      ])
+
+      const wrapper = shallow(
+        <ScopeDisplay
+          security={security}
+          authSelectors={mockAuthSelectors}
+          specSelectors={mockSpecSelectors}
+        />
+      )
+
+      expect(wrapper.find(".opblock-security-scheme-name").text()).toEqual("OpenIDConnect")
+      expect(wrapper.find(".opblock-security-scope").length).toEqual(3)
+      expect(wrapper.find(".opblock-security-scope").at(0).text()).toEqual("openid")
+      expect(wrapper.find(".opblock-security-scope").at(1).text()).toEqual("profile")
+      expect(wrapper.find(".opblock-security-scope").at(2).text()).toEqual("email")
+    })
+  })
+
+  describe("Optional security", function() {
+    it("should display optional security correctly", function() {
+      const security = fromJS([
+        {}
+      ])
+
+      const wrapper = shallow(
+        <ScopeDisplay
+          security={security}
+          authSelectors={mockAuthSelectors}
+          specSelectors={mockSpecSelectors}
+        />
+      )
+
+      expect(wrapper.find(".opblock-security-optional").length).toEqual(1)
+      expect(wrapper.find(".opblock-security-optional").text()).toEqual("Optional")
+    })
+  })
+
+  describe("Edge cases", function() {
+    it("should return null for no security", function() {
+      const wrapper = shallow(
+        <ScopeDisplay
+          security={null}
+          authSelectors={mockAuthSelectors}
+          specSelectors={mockSpecSelectors}
+        />
+      )
+
+      expect(wrapper.isEmptyRender()).toBe(true)
+    })
+
+    it("should return null for empty security list", function() {
+      const security = fromJS([])
+
+      const wrapper = shallow(
+        <ScopeDisplay
+          security={security}
+          authSelectors={mockAuthSelectors}
+          specSelectors={mockSpecSelectors}
+        />
+      )
+
+      expect(wrapper.isEmptyRender()).toBe(true)
+    })
+
+    it("should handle complex multi-scheme requirements", function() {
+      const security = fromJS([
+        {
+          "OAuth2": ["read:api", "write:api"],
+          "ApiKey": []
+        },
+        {
+          "BasicAuth": []
+        },
+        {
+          "BearerAuth": [],
+          "CustomAuth": ["admin"]
+        }
+      ])
+
+      const wrapper = shallow(
+        <ScopeDisplay
+          security={security}
+          authSelectors={mockAuthSelectors}
+          specSelectors={mockSpecSelectors}
+        />
+      )
+
+      expect(wrapper.find(".opblock-security-requirement-group").length).toEqual(3)
+
+      // First group: OAuth2 + ApiKey
+      const firstGroup = wrapper.find(".opblock-security-requirement-group").at(0)
+      expect(firstGroup.find(".opblock-security-requirement").length).toEqual(2)
+
+      // Second group: BasicAuth
+      const secondGroup = wrapper.find(".opblock-security-requirement-group").at(1)
+      expect(secondGroup.find(".opblock-security-requirement").length).toEqual(1)
+
+      // Third group: BearerAuth + CustomAuth
+      const thirdGroup = wrapper.find(".opblock-security-requirement-group").at(2)
+      expect(thirdGroup.find(".opblock-security-requirement").length).toEqual(2)
+    })
+  })
+})
\ No newline at end of file