TykTechnologies
diff --git a/‎apidef/oas/servers_regeneration.go‎
Lines changed: 23 additions & 0 deletions b/‎apidef/oas/servers_regeneration.go‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎apidef/oas/servers_regeneration_test.go‎
Lines changed: 161 additions & 0 deletions b/‎apidef/oas/servers_regeneration_test.go‎
Lines changed: 161 additions & 0 deletions
diff --git a/‎gateway/mw_jwt.go‎
Lines changed: 59 additions & 36 deletions b/‎gateway/mw_jwt.go‎
Lines changed: 59 additions & 36 deletions
@@ -94,6 +94,29 @@ func (s *OAS) RegenerateServers(
 	return nil
 }
 
+// GenerateTykServers generates and returns only Tyk-managed server URLs for an API.
+// This is a convenience method that generates servers without modifying the OAS spec.
+// Unlike RegenerateServers, this does not include user-defined servers and does not
+// modify the OAS servers array.
+func (s *OAS) GenerateTykServers(
+	apiData *apidef.APIDefinition,
+	baseAPI *apidef.APIDefinition,
+	config ServerRegenerationConfig,
+	versionName string,
+) []*openapi3.Server {
+	serverInfos := generateTykServers(apiData, baseAPI, config, versionName)
+
+	servers := make([]*openapi3.Server, len(serverInfos))
+	for i, info := range serverInfos {
+		servers[i] = &openapi3.Server{
+			URL:         info.url,
+			Description: info.description,
+		}
+	}
+
+	return servers
+}
+
 // generateTykServers generates all Tyk-managed server URLs for an API.
 func generateTykServers(
 	apiData *apidef.APIDefinition,
 
@@ -757,6 +757,167 @@ func TestGenerateTykServersBaseAPIWithVersioning(t *testing.T) {
 	})
 }
 
+func TestOAS_GenerateTykServers(t *testing.T) {
+	t.Parallel()
+
+	t.Run("standard non-versioned API", func(t *testing.T) {
+		t.Parallel()
+
+		oas := &OAS{}
+		apiDef := &apidef.APIDefinition{
+			APIID: "test-api",
+			Proxy: apidef.ProxyConfig{
+				ListenPath: "/test",
+			},
+		}
+
+		config := ServerRegenerationConfig{
+			Protocol:    "http://",
+			DefaultHost: "localhost:8080",
+		}
+
+		servers := oas.GenerateTykServers(apiDef, nil, config, "")
+
+		require.Len(t, servers, 1)
+		assert.Equal(t, "http://localhost:8080/test", servers[0].URL)
+	})
+
+	t.Run("versioned child API with URL path versioning", func(t *testing.T) {
+		t.Parallel()
+
+		oas := &OAS{}
+		baseAPI := &apidef.APIDefinition{
+			APIID: "base-id",
+			Proxy: apidef.ProxyConfig{
+				ListenPath: "/products",
+			},
+			VersionDefinition: apidef.VersionDefinition{
+				Enabled:  true,
+				Location: "url",
+				Key:      "version",
+				Versions: map[string]string{
+					"v1": "base-id",
+					"v2": "child-id",
+				},
+			},
+		}
+
+		childAPI := &apidef.APIDefinition{
+			APIID: "child-id",
+			Proxy: apidef.ProxyConfig{
+				ListenPath: "/products-v2",
+			},
+			VersionData: apidef.VersionData{
+				NotVersioned: false,
+				Versions: map[string]apidef.VersionInfo{
+					"v2": {},
+				},
+			},
+		}
+
+		config := ServerRegenerationConfig{
+			Protocol:    "https://",
+			DefaultHost: "api.example.com",
+		}
+
+		servers := oas.GenerateTykServers(childAPI, baseAPI, config, "v2")
+
+		// Should have versioned URL
+		require.NotEmpty(t, servers)
+		found := false
+		for _, server := range servers {
+			if server.URL == "https://api.example.com/products/v2" {
+				found = true
+				break
+			}
+		}
+		assert.True(t, found, "Expected to find versioned URL https://api.example.com/products/v2")
+	})
+
+	t.Run("API with custom domain", func(t *testing.T) {
+		t.Parallel()
+
+		oas := &OAS{}
+		apiDef := &apidef.APIDefinition{
+			APIID:  "test-api",
+			Domain: "custom.example.com",
+			Proxy: apidef.ProxyConfig{
+				ListenPath: "/api",
+			},
+		}
+
+		config := ServerRegenerationConfig{
+			Protocol:    "https://",
+			DefaultHost: "localhost:8080",
+		}
+
+		servers := oas.GenerateTykServers(apiDef, nil, config, "")
+
+		require.Len(t, servers, 1)
+		assert.Equal(t, "https://custom.example.com/api", servers[0].URL)
+	})
+
+	t.Run("base API with versioning and fallback", func(t *testing.T) {
+		t.Parallel()
+
+		oas := &OAS{}
+		baseAPI := &apidef.APIDefinition{
+			APIID: "base-id",
+			Proxy: apidef.ProxyConfig{
+				ListenPath: "/products",
+			},
+			VersionDefinition: apidef.VersionDefinition{
+				Enabled:           true,
+				Name:              "v1",
+				Location:          "url",
+				Default:           "v1",
+				FallbackToDefault: true,
+				Versions: map[string]string{
+					"v1": "base-id",
+				},
+			},
+		}
+
+		config := ServerRegenerationConfig{
+			Protocol:    "http://",
+			DefaultHost: "localhost:8080",
+		}
+
+		servers := oas.GenerateTykServers(baseAPI, nil, config, "")
+
+		// Should have both versioned URL and fallback URL
+		require.Len(t, servers, 2)
+		urls := []string{servers[0].URL, servers[1].URL}
+		assert.Contains(t, urls, "http://localhost:8080/products/v1")
+		assert.Contains(t, urls, "http://localhost:8080/products")
+	})
+
+	t.Run("returns openapi3.Server type not serverInfo", func(t *testing.T) {
+		t.Parallel()
+
+		oas := &OAS{}
+		apiDef := &apidef.APIDefinition{
+			APIID: "test-api",
+			Proxy: apidef.ProxyConfig{
+				ListenPath: "/test",
+			},
+		}
+
+		config := ServerRegenerationConfig{
+			Protocol:    "http://",
+			DefaultHost: "localhost:8080",
+		}
+
+		servers := oas.GenerateTykServers(apiDef, nil, config, "")
+
+		// Verify it returns the correct type
+		require.NotNil(t, servers)
+		require.IsType(t, []*openapi3.Server{}, servers)
+		require.Len(t, servers, 1)
+		require.IsType(t, &openapi3.Server{}, servers[0])
+	})
+}
+
 func TestShouldUpdateChildAPIs(t *testing.T) {
 	t.Parallel()
 
 
@@ -735,36 +735,38 @@ func (k *JWTMiddleware) processCentralisedJWT(r *http.Request, token *jwt.Token)
 		// We need a base policy as a template, either get it from the token itself OR a proxy client ID within Tyk
 		basePolicyID, foundPolicy = k.getBasePolicyID(r, claims)
 		if !foundPolicy {
-			if len(k.Spec.JWTDefaultPolicies) == 0 {
-				k.reportLoginFailure(baseFieldData, r)
-				return errors.New("key not authorized: no matching policy found"), http.StatusForbidden
-			} else {
+			// Only use default policies if configured - scope mapping may provide policies later
+			if len(k.Spec.JWTDefaultPolicies) > 0 {
 				isDefaultPol = true
 				basePolicyID = k.Spec.JWTDefaultPolicies[0]
 			}
 		}
 
-		session, err = k.Gw.generateSessionFromPolicy(basePolicyID,
-			k.Spec.OrgID,
-			true)
+		// Only generate from policy if we have a base policy ID
+		if basePolicyID != "" {
+			session, err = k.Gw.generateSessionFromPolicy(basePolicyID,
+				k.Spec.OrgID,
+				true)
 
-		// If base policy is one of the defaults, apply other ones as well
-		if isDefaultPol {
-			for _, pol := range k.Spec.JWTDefaultPolicies {
-				if !contains(session.ApplyPolicies, pol) {
-					session.ApplyPolicies = append(session.ApplyPolicies, pol)
+			if isDefaultPol {
+				for _, pol := range k.Spec.JWTDefaultPolicies {
+					if !contains(session.ApplyPolicies, pol) {
+						session.ApplyPolicies = append(session.ApplyPolicies, pol)
+					}
 				}
 			}
-		}
 
-		if err := k.ApplyPolicies(&session); err != nil {
-			return errors.New("failed to create key: " + err.Error()), http.StatusInternalServerError
-		}
+			if err := k.ApplyPolicies(&session); err != nil {
+				return errors.New("failed to create key: " + err.Error()), http.StatusInternalServerError
+			}
 
-		if err != nil {
-			k.reportLoginFailure(baseFieldData, r)
-			k.Logger().Error("Could not find a valid policy to apply to this token!")
-			return errors.New("key not authorized: no matching policy"), http.StatusForbidden
+			if err != nil {
+				k.reportLoginFailure(baseFieldData, r)
+				k.Logger().Error("Could not find a valid policy to apply to this token!")
+				return errors.New("key not authorized: no matching policy"), http.StatusForbidden
+			}
+		} else {
+			session = user.SessionState{OrgID: k.Spec.OrgID}
 		}
 
 		//override session expiry with JWT if longer lived
@@ -784,22 +786,23 @@ func (k *JWTMiddleware) processCentralisedJWT(r *http.Request, token *jwt.Token)
 		// extract policy ID from JWT token
 		basePolicyID, foundPolicy = k.getBasePolicyID(r, claims)
 		if !foundPolicy {
-			if len(k.Spec.JWTDefaultPolicies) == 0 {
-				k.reportLoginFailure(baseFieldData, r)
-				return errors.New("key not authorized: no matching policy found"), http.StatusForbidden
-			} else {
+			if len(k.Spec.JWTDefaultPolicies) > 0 {
 				isDefaultPol = true
 				basePolicyID = k.Spec.JWTDefaultPolicies[0]
 			}
 		}
-		// check if we received a valid policy ID in claim
-		k.Gw.policiesMu.RLock()
-		policy, ok := k.Gw.policiesByID[basePolicyID]
-		k.Gw.policiesMu.RUnlock()
-		if !ok {
-			k.reportLoginFailure(baseFieldData, r)
-			k.Logger().Error("Policy ID found is invalid!")
-			return errors.New("key not authorized: no matching policy"), http.StatusForbidden
+		// check if we received a valid policy ID in claim (skip if no base policy for scope-only auth)
+		var policy user.Policy
+		var ok bool
+		if basePolicyID != "" {
+			k.Gw.policiesMu.RLock()
+			policy, ok = k.Gw.policiesByID[basePolicyID]
+			k.Gw.policiesMu.RUnlock()
+			if !ok {
+				k.reportLoginFailure(baseFieldData, r)
+				k.Logger().Error("Policy ID found is invalid!")
+				return errors.New("key not authorized: no matching policy"), http.StatusForbidden
+			}
 		}
 		// check if token for this session was switched to another valid policy
 		pols := session.PolicyIDs()
@@ -827,7 +830,7 @@ func (k *JWTMiddleware) processCentralisedJWT(r *http.Request, token *jwt.Token)
 			}
 		}
 
-		if !contains(pols, basePolicyID) || defaultPolicyListChanged {
+		if basePolicyID != "" && (!contains(pols, basePolicyID) || defaultPolicyListChanged) {
 			if policy.OrgID != k.Spec.OrgID {
 				k.reportLoginFailure(baseFieldData, r)
 				k.Logger().Error("Policy ID found is invalid (wrong ownership)!")
@@ -872,11 +875,13 @@ func (k *JWTMiddleware) processCentralisedJWT(r *http.Request, token *jwt.Token)
 		}
 
 		if scope := getScopeFromClaim(claims, scopeClaimName); len(scope) > 0 {
-			polIDs := []string{
-				basePolicyID, // add base policy as a first one
+			// Start with base policy if it exists
+			polIDs := []string{}
+			if basePolicyID != "" {
+				polIDs = []string{basePolicyID}
 			}
 
-			// // If specified, scopes should not use default policy
+			// If specified, scopes should not use default policy
 			if isDefaultPol {
 				polIDs = []string{}
 			}
@@ -910,6 +915,24 @@ func (k *JWTMiddleware) processCentralisedJWT(r *http.Request, token *jwt.Token)
 				return errors.New("key not authorized: could not apply several policies"), http.StatusForbidden
 			}
 
+		} else if basePolicyID == "" && exists {
+			// Security: existing session with no scope in token and no base policy
+			// Reject to prevent privilege escalation (token should reset policies)
+			k.reportLoginFailure(baseFieldData, r)
+			k.Logger().Error("Existing session requires scope or base policy when scope mapping is configured")
+			return errors.New("key not authorized: no scope or policy in token"), http.StatusForbidden
+		}
+	}
+
+	if basePolicyID == "" && len(k.Spec.JWTDefaultPolicies) == 0 {
+		if len(session.PolicyIDs()) == 0 {
+			k.reportLoginFailure(baseFieldData, r)
+			k.Logger().Error("No policies could be determined from token (no base policy, no valid scopes)")
+			return errors.New("key not authorized: no matching policy found"), http.StatusForbidden
+		} else if exists && len(k.Spec.GetScopeToPolicyMapping()) == 0 {
+			k.reportLoginFailure(baseFieldData, r)
+			k.Logger().Error("Existing session requires policy in token when no defaults configured")
+			return errors.New("key not authorized: no matching policy found"), http.StatusForbidden
 		}
 	}