openapi-python-client icon indicating copy to clipboard operation
openapi-python-client copied to clipboard
verified publisher icon openapi-generators

Security key doesn't respect endpoint explicitly setting anonymous access (via `{}`)

Open patcon opened this issue 3 weeks ago • 0 comments

Thanks for this wonderful library! It's been SO helpful :)

Describe the bug The client args in generated methods (Client vs AuthenticatedClient) don't match those described by security in the spec, when explicitly anonymous access is permitted in an endpoint's security list, as allowed in spec:

An empty Security Requirement Object ({}) indicates anonymous access is supported. [ref, with examples]

Example:

  /auth-optional-explicit:
    get:
      summary: Requires auth but has empty object
      security:   # <--- client: AuthenticatedClient (EXPECTED: Client | AuthenticatedClient)
        - {}
        - ApiKeyAuth: []
      responses:
        '200':
          description: OK

This is due to this line

https://github.com/openapi-generators/openapi-python-client/blob/49fa8fc076a5733e68029ba36f4672759c4ac52b/openapi_python_client/parser/openapi.py#L423

>>> bool([])
False
>>> bool([{"ApiKeyAuth": []}])
True
>>> bool([{"ApiKeyAuth": []}, {}])
True
>>> bool([{}])
True

We would want the last two to return False. We should check if {} is anywhere in a list (when it's a list).

This would do the trick:

requires_security_check = lambda sec: bool(sec or []) and {} not in (sec or [])

OpenAPI Spec File

openapi: 3.1.0
info:
  title: Security Test API
  version: 1.0.0
servers:
  - url: https://example.com
paths:
  /no-auth-specified:
    get:
      summary: Truly anonymous
      security: []   # client: Client | AuthenticatedClient (EXPECTED: same)
      responses:
        '200':
          description: OK
  /explicit-anon:
    get:
      summary: Requires auth but has empty object
      security:   # <--- client: AuthenticatedClient (EXPECTED: not sure, but def not this)
        - {}
      responses:
        '200':
          description: OK
  /auth-optional-explicit:
    get:
      summary: Requires auth but has empty object
      security:   # <--- client: AuthenticatedClient (EXPECTED: Client | AuthenticatedClient)
        - {}
        - ApiKeyAuth: []
      responses:
        '200':
          description: OK
  /auth-required:
    get:
      summary: Requires API key
      security:   # <--- client: AuthenticatedClient
        - ApiKeyAuth: []
      responses:
        '200':
          description: OK
components:
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key

Desktop (please complete the following information):

  • OS: [e.g. macOS 10.15.1]
  • Python Version: [e.g. 3.8.0]
  • openapi-python-client version [e.g. 0.1.0]

Additional context ...

patcon avatar Dec 06 '25 19:12 patcon