join command does not join root security

[ootkin]

Describe the bug

security section is not joined in the output if a schema specify the security section in the root level

To Reproduce

spec1.yaml:

openapi: 3.1.0
info:
  title: "spec1"
  version: 1.0.0
servers:
  - url: https://api.example.com
security:
  - oauth2: []
components:
  securitySchemes:
    oauth2:
      type: oauth2
      flows:
        authorizationCode:
          authorizationUrl: https://example.com/oauth/authorize
          tokenUrl: https://example.com/oauth/token
          scopes: {}
paths: {}

spec2.yaml:

openapi: 3.1.0
info:
  title: "spec1"
  version: 1.0.0
servers:
  - url: https://api.example.com
paths:
  /post:
    get:
      summary: Example
      operationId: example
      responses:
        200:
          description: OK
        400:
          description: Bad request

run command: npx @redocly/cli join spec1.yaml spec2.yaml -o joined.yaml

output:

openapi: 3.1.0
info:
  title: spec1
  version: 1.0.0
servers:
  - url: https://api.example.com
tags:
  - name: spec2_other
    x-displayName: other
paths:
  /post:
    get:
      summary: Example
      operationId: example
      responses:
        '200':
          description: OK
        '400':
          description: Bad request
      tags:
        - spec2_other
components:
  securitySchemes:
    oauth2:
      type: oauth2
      flows:
        authorizationCode:
          authorizationUrl: https://example.com/oauth/authorize
          tokenUrl: https://example.com/oauth/token
          scopes: {}
x-tagGroups:
  - name: spec2
    tags:
      - spec2_other

Expected behavior

the security in the root level must be present in the output

OpenAPI description

oas version: 3.1

Redocly Version(s)

1.6.0

Node.js Version(s)

v20.10.0

[tatomyr]

This looks like a bug. Thank you for finding this!

[lornajane]

See also: #913

[MarcelHoell]

We've got some custom 'x-' properties right inside the root object (same level as 'openapi', 'info', ...), which get lost upon 'join'. Maybe this is the same issue?

[artsiommiksiuk]

Are there any workarounds until it's fixed? Except blunt text append to generated schema.

[tatomyr]

@MarcelHoell not exactly the same, but rather similar. Currently, we have to specify the fields to be merged in the code, and I think it will be difficult to merge unknown fields correctly (although it is still worth investigating).

@artsiommiksiuk unfortunately I cannot come up with a workaround here. Just in case, we accept PRs here!

[serieznyi]

Hello.
Problem stil reproduced on newest versions of tool

OpenAPI description: oas version: 3.1

Redocly Version(s): 1.34.2

Tested under docker

docker run -v /tmp/openapi:/www -w /www --rm redocly/cli:1.34.2 join base.yml component.yml -o openapi.yml

base.yml:

openapi: 3.1.1
info:
  title: MY API v1
  version: 2.0.0
servers:
  - url: 'https://127.0.0.1:80/api/v2'
    description: Local
paths: {}
components:
  schemas: {}
  securitySchemes:
    basicJwt:
      type: http
      scheme: bearer
      bearerFormat: JWT
security:
  - basicJwt: []

component.yml:

openapi: 3.1.1
info:
  title: DRAFT
  version: 2.0.0
paths:
  /audit/events/search:
    post:
      requestBody:
        description: Filter data
        content:
          application/json:
            schema:
              type: object
              properties:
                event:
                  type: string
      responses:
        '200':
          description: ''
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: array
                    items:
                      type: string
components:
  parameters: {}
  schemas: {}
  requestBodies: {}
  responses: {}

openapi.yml:

openapi: 3.1.1
info:
  title: MY API v1
  version: 2.0.0
servers:
  - url: https://127.0.0.1:80/api/v2
    description: Local
tags:
  - name: component.audit_other
    x-displayName: other
paths:
  /audit/events/search:
    post:
      requestBody:
        description: Filter data
        content:
          application/json:
            schema:
              type: object
              properties:
                event:
                  type: string
      responses:
        '200':
          description: ''
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: array
                    items:
                      type: string
      tags:
        - component.audit_other
components:
  schemas: {}
  securitySchemes:
    basicJwt:
      type: http
      scheme: bearer
      bearerFormat: JWT
  parameters: {}
  requestBodies: {}
  responses: {}
x-tagGroups:
  - name: DRAFT
    tags:
      - component.audit_other

[tatomyr]

Hmm. This is more complex than I initially thought. In the original case, if we simply merge the root-level security, authentication will be applied to the /post endpoint. But that's incorrect since join is meant to combine multiple API descriptions into one without altering their behaviour.

If we were to implement this properly, we’d first need to extract the root-level security from each API description and apply it to every operation (unless an operation already declares its own security) before joining the descriptions.
In this scenario, it's better to write a custom decorator that spreads the root-level security down to the operations.

However, in @ootkin's case, it seems you do want to modify the second description by adding security. If that’s the case, the join command isn’t the right tool - instead, a custom decorator would again be the better solution.