Skip to content

Fix: Return error from attempted security scheme instead of first defined scheme#1135

Open
aleksandar-kovacic wants to merge 6 commits intocdimascio:masterfrom
JR-2022:fix/return-attempted-security-scheme-error
Open

Fix: Return error from attempted security scheme instead of first defined scheme#1135
aleksandar-kovacic wants to merge 6 commits intocdimascio:masterfrom
JR-2022:fix/return-attempted-security-scheme-error

Conversation

@aleksandar-kovacic
Copy link

@aleksandar-kovacic aleksandar-kovacic commented Feb 12, 2026

Problem

When multiple security schemes are defined (e.g., BearerAuth OR ApiKeyAuth) and a user provides credentials for only one scheme, the error returned was always from the first defined security scheme rather than the one actually attempted.

Example

Given this OpenAPI security configuration:

security:
  - BearerAuth: []
  - ApiKeyAuth: []

Before this fix

User sends request with an invalid ApiKey but no Bearer token.
ApiKey validation runs and fails with "Invalid API key".
❌ Error returned: "Authorization header required" (from BearerAuth, which wasn't attempted).

After this fix

User sends request with an invalid ApiKey but no Bearer token.
ApiKey validation runs and fails with "Invalid API key"
✅ Error returned: "Invalid API key provided" (from ApiKeyAuth, which was actually attempted)

Solution

Added an attempted flag to track which security schemes received credentials. The error selection logic now prioritizes errors from schemes where authentication was actually attempted over schemes where credentials were missing.

Closes #1118

@cdimascio cdimascio requested a review from Copilot February 22, 2026 14:35
Copilot AI reviewed Feb 22, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts the OpenAPI security middleware’s error selection when multiple OR security schemes are defined, so that the returned error reflects the scheme that was actually attempted (i.e., had credentials provided) rather than always returning the first scheme’s missing-credentials error.

Changes:

  • Add an attempted flag to security handler results and prefer attempted-scheme errors when choosing which error to return.
  • Track whether AuthValidator passed before invoking a handler to determine “attempted”.
  • Add a regression test and a new OpenAPI path (/bearer_or_apikey) to validate the behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
src/middlewares/openapi.security.ts Adds attempted tracking and updates error selection to prefer attempted-scheme failures.
test/security.handlers.spec.ts Adds an integration test covering bearer-vs-apikey OR error selection.
test/resources/security.yaml Adds /bearer_or_apikey path with OR security requirements for the new test.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cdimascio cdimascio requested a review from Copilot February 22, 2026 14:39
Copilot AI reviewed Feb 22, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Fridious
Copy link

Fridious commented Mar 2, 2026

@cdimascio I have made all the necessary changes. Is there anything else to do?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Error handling response multiple security strategies

3 participants

@aleksandar-kovacic @Fridious