middleware icon indicating copy to clipboard operation
middleware copied to clipboard
verified publisher icon honojs

[@hono/zod-openapi] securitySchemes not being applied from config

Open Soviut opened this issue 4 months ago • 6 comments

Which middleware has the bug?

@hono/zod-openapi

What version of the middleware?

1.1.0

What version of Hono are you using?

4.8.0

What runtime/platform is your app running on? (with version if possible)

Node

What steps can reproduce the bug?

create an openapi config like this

import { serve } from '@hono/node-server'

const OPENAPI_CONFIG = {
  openapi: '3.1.0',
  externalDocs: {
    description: 'My API',
    url: 'example.com',
  },
  info: {
    version: '0.0.1',
    title: 'My API',
  },
  components: {
    securitySchemes: {
      bearerAuth: {
        type: 'http',
        scheme: 'bearer',
        bearerFormat: 'JWT',
        description: 'JWT Authentication',
      },
    },
  },
}

const app = new OpenAPIHono()

app.doc31('/doc', OPENAPI_CONFIG)

serve(app, (info) => {
  console.log(`Listening on http://localhost:${info.port}`)
})

Then visit http://localhost:3000/doc

Observe that the components section of the doc is missing the securitySchemes section entirely.

{
  "openapi": "3.1.0",
  "externalDocs": {
    "description": "My Api",
    "url": "example.com"
  },
  "info": {
    "version": "0.0.1",
    "title": "My API"
  },
  "components": {
    "schemas": {},
    "parameters": {}
  },
  "paths": {
    /* ... */
  },
  "webhooks": {}
}

Additionally, anything put under the components section seems to be ignored or overwritten in the doc.

What is the expected behavior?

The securitySchemes defined in the config should be kept.

What do you see instead?

  "components": {
    "schemas": {},
    "parameters": {}
  }

Anything in the config that is put under components gets removed.

Additional information

No response

Soviut avatar Sep 05 '25 08:09 Soviut

As a workaround you could register the securitySchemas right before calling app.doc31

app.openAPIRegistry.registerComponent("securitySchemes", "bearerAuth", {
      type: 'http',
      scheme: 'bearer',
      bearerFormat: 'JWT',
      description: 'JWT Authentication',
});

luksch42 avatar Sep 09 '25 06:09 luksch42

@luksch42 thanks, I figured something like this was possible. This definitely should be added to the documentation. Once I've had a little time to play with this I'll probably make a docs PR.

Soviut avatar Sep 09 '25 06:09 Soviut

@luksch42 Thanks!

@Soviut

This definitely should be added to the documentation. Once I've had a little time to play with this I'll probably make a docs PR.

We will be happy if you create a PR!

yusukebe avatar Sep 09 '25 20:09 yusukebe

@luksch42 This worked great. I can see the securitySchemes in the document. Also, their usage in the routes is working in my frontend generator; it recognizes the routes require an authorization header and is sending it now.

Soviut avatar Sep 10 '25 22:09 Soviut

@yusukebe When I create docs for this I was thinking I'd break it into two seconds. The first section would just explain how to use app.openAPIRegistry to register components. The second section would be specifically about how to set up securitySchemes and use them in a route.

For now, I'll probably just show an example of the bearerAuth scheme since that's very common and documented outside of Hono.

What do you think?

Soviut avatar Sep 10 '25 22:09 Soviut

@Soviut

Sounds good! Please go ahead with it.

yusukebe avatar Sep 11 '25 00:09 yusukebe