Handle apiKey and Bearer auth schemes distinctly

icnocop · icnocop · commit c63227681bf3 · 2026-03-19T00:51:36.000-07:00
Refactor JS plugin to properly distinguish apiKey from Bearer/Basic auth, preventing apiKey values from being sent as Bearer tokens. Add unit and Playwright E2E tests to verify correct OpenAPI document emission and SwaggerUI behavior for apiKey schemes. Ensure multiple security schemes are supported and correctly represented in both docs and runtime requests.
diff --git a/src/SignalR.OpenApi.SwaggerUi/Resources/signalr-openapi-plugin.js b/src/SignalR.OpenApi.SwaggerUi/Resources/signalr-openapi-plugin.js
@@ -50,16 +50,29 @@ var SignalROpenApiPlugin = function (system) {
 
     var authState = state.toJS();
     var keys = Object.keys(authState);
-    if (keys.length === 0) {
-      return undefined;
-    }
 
-    var entry = authState[keys[0]];
-    if (entry && entry.schema && entry.schema.type === "http" && entry.schema.scheme === "basic") {
-      return btoa(entry.value.username + ":" + entry.value.password);
+    for (var i = 0; i < keys.length; i++) {
+      var entry = authState[keys[i]];
+      if (!entry || !entry.schema) {
+        continue;
+      }
+
+      // HTTP Basic: return Base64-encoded credentials
+      if (entry.schema.type === "http" && entry.schema.scheme === "basic" && entry.value) {
+        return btoa(entry.value.username + ":" + entry.value.password);
+      }
+
+      // HTTP Bearer or OAuth2: return the token value
+      if (entry.value
+        && ((entry.schema.type === "http" && entry.schema.scheme !== "basic")
+          || entry.schema.type === "oauth2")) {
+        return entry.value;
+      }
+
+      // Skip apiKey schemes — handled by _getApiKeyHeaders()
     }
 
-    return entry ? entry.value : undefined;
+    return undefined;
   };
 
   // Get apiKey header values entered in the SwaggerUI authorize dialog.
diff --git a/test/SignalR.OpenApi.Tests/SignalROpenApiDocumentGeneratorTests.cs b/test/SignalR.OpenApi.Tests/SignalROpenApiDocumentGeneratorTests.cs
@@ -196,6 +196,70 @@ public void GenerateDocument_AddsSecuritySchemes_WhenAuthorizedHubExistsAndSchem
         Assert.AreEqual(SecuritySchemeType.Http, doc.Components.SecuritySchemes["Bearer"].Type);
     }
 
+    /// <summary>
+    /// Verifies that apiKey security schemes added via SecuritySchemes are emitted
+    /// in the document's components when an authorized hub exists.
+    /// </summary>
+    [TestMethod]
+    public void GenerateDocument_AddsApiKeySecurityScheme_WhenConfiguredViaSecuritySchemes()
+    {
+        var (discoverer, generator) = CreateServices(o =>
+        {
+            o.SecuritySchemes["Impersonation"] = new OpenApiSecurityScheme
+            {
+                Type = SecuritySchemeType.ApiKey,
+                In = ParameterLocation.Header,
+                Name = "X-Session-Id",
+                Description = "Session ID for impersonation.",
+            };
+        });
+
+        var hubs = discoverer.DiscoverHubs();
+        var doc = generator.GenerateDocument(hubs);
+
+        Assert.IsNotNull(doc.Components.SecuritySchemes);
+        Assert.IsTrue(doc.Components.SecuritySchemes.ContainsKey("Impersonation"));
+
+        var scheme = doc.Components.SecuritySchemes["Impersonation"];
+        Assert.AreEqual(SecuritySchemeType.ApiKey, scheme.Type);
+        Assert.AreEqual(ParameterLocation.Header, scheme.In);
+        Assert.AreEqual("X-Session-Id", scheme.Name);
+        Assert.AreEqual("Session ID for impersonation.", scheme.Description);
+    }
+
+    /// <summary>
+    /// Verifies that both apiKey and HTTP Bearer security schemes can coexist
+    /// in the document when configured via SecuritySchemes.
+    /// </summary>
+    [TestMethod]
+    public void GenerateDocument_AddsMixedSecuritySchemes_WhenBothApiKeyAndBearerConfigured()
+    {
+        var (discoverer, generator) = CreateServices(o =>
+        {
+            o.SecuritySchemes["Bearer"] = new OpenApiSecurityScheme
+            {
+                Type = SecuritySchemeType.Http,
+                Scheme = "bearer",
+                BearerFormat = "JWT",
+            };
+            o.SecuritySchemes["Impersonation"] = new OpenApiSecurityScheme
+            {
+                Type = SecuritySchemeType.ApiKey,
+                In = ParameterLocation.Header,
+                Name = "X-Session-Id",
+                Description = "Session ID for impersonation.",
+            };
+        });
+
+        var hubs = discoverer.DiscoverHubs();
+        var doc = generator.GenerateDocument(hubs);
+
+        Assert.IsNotNull(doc.Components.SecuritySchemes);
+        Assert.AreEqual(2, doc.Components.SecuritySchemes.Count);
+        Assert.IsTrue(doc.Components.SecuritySchemes.ContainsKey("Bearer"));
+        Assert.IsTrue(doc.Components.SecuritySchemes.ContainsKey("Impersonation"));
+    }
+
     /// <summary>
     /// Verifies no security schemes are added when authorized hubs exist but no schemes are configured.
     /// </summary>
@@ -300,6 +364,42 @@ public void GenerateDocument_SetsSecurityOnAuthorizedMethods()
         Assert.IsTrue(getUser.Security.Count > 0);
     }
 
+    /// <summary>
+    /// Verifies security requirements reference all configured schemes including apiKey.
+    /// </summary>
+    [TestMethod]
+    public void GenerateDocument_SecurityRequirementsIncludeApiKeyScheme()
+    {
+        var (discoverer, generator) = CreateServices(o =>
+        {
+            o.SecuritySchemes["Bearer"] = new OpenApiSecurityScheme
+            {
+                Type = SecuritySchemeType.Http,
+                Scheme = "bearer",
+            };
+            o.SecuritySchemes["Impersonation"] = new OpenApiSecurityScheme
+            {
+                Type = SecuritySchemeType.ApiKey,
+                In = ParameterLocation.Header,
+                Name = "X-Session-Id",
+            };
+        });
+
+        var hubs = discoverer.DiscoverHubs();
+        var doc = generator.GenerateDocument(hubs);
+
+        var getUser = doc.Paths["/hubs/Attribute/GetUserDetails"]
+            .Operations[Microsoft.OpenApi.Models.OperationType.Post];
+
+        Assert.IsNotNull(getUser.Security);
+        Assert.AreEqual(1, getUser.Security.Count, "Should have one security requirement.");
+
+        var requirement = getUser.Security[0];
+        var schemeIds = requirement.Keys.Select(k => k.Reference.Id).ToList();
+        CollectionAssert.Contains(schemeIds, "Bearer", "Should reference Bearer scheme.");
+        CollectionAssert.Contains(schemeIds, "Impersonation", "Should reference Impersonation scheme.");
+    }
+
     /// <summary>
     /// Verifies data annotations are applied to schemas.
     /// </summary>
diff --git a/test/SignalR.OpenApi.Tests/SwaggerUiApiKeyPlaywrightTests.cs b/test/SignalR.OpenApi.Tests/SwaggerUiApiKeyPlaywrightTests.cs
