oapi-codegen · mromaszewicz · Mar 27, 2026 · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026
@@ -0,0 +1,6 @@
+# yaml-language-server: $schema=../../../../configuration-schema.json
+package: issue518
+generate:
+  fiber-server: true
+  models: true
+output: main.gen.go
@@ -0,0 +1,3 @@
+package issue518
+
+//go:generate go run github.com/oapi-codegen/oapi-codegen/v2/cmd/oapi-codegen --config=config.yaml spec.yaml
@@ -0,0 +1,88 @@
+package issue518
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/stretchr/testify/assert"
+)
+
+type impl struct{}
+
+// (GET /auth-check)
+func (i *impl) AuthCheck(c *fiber.Ctx) error {
+	return c.SendStatus(fiber.StatusOK)
+}
+
+// (GET /test)
+func (i *impl) Test(c *fiber.Ctx) error {
+	return c.SendStatus(fiber.StatusOK)
+}
+
+// hasSecurityScopes returns true if the BearerAuthScopes key was set in context,
+// even if the scopes slice is empty (an empty slice means the security scheme is
+// defined on the operation with no required scopes, which still requires auth).
+func hasSecurityScopes(c *fiber.Ctx) bool {
+	_, ok := c.Context().UserValue(BearerAuthScopes).([]string)
+	return ok
+}
+
+func TestIssue518(t *testing.T) {
+	server := &impl{}
+
+	assert.NotPanics(t, func() {
+		r := fiber.New()
+		RegisterHandlers(r, server)
+	})
+
+	assert.NotPanics(t, func() {
+		r := fiber.New()
+		RegisterHandlersWithOptions(r, server, FiberServerOptions{
+			Middlewares: []MiddlewareFunc{
+				func(c *fiber.Ctx) error {
+					return nil
+				},
+			},
+			HandlerMiddlewares: []HandlerMiddlewareFunc{
+				func(c *fiber.Ctx, next fiber.Handler) error {
+					if hasSecurityScopes(c) && c.Get(fiber.HeaderAuthorization) == "" {
+						return c.SendStatus(fiber.StatusUnauthorized)
+					}
+					return next(c)
+				},
+			},
+		})
+	})
+
+	t.Run("secured endpoint requires auth when scopes are present", func(t *testing.T) {
+		r := fiber.New()
+		RegisterHandlersWithOptions(r, server, FiberServerOptions{
+			HandlerMiddlewares: []HandlerMiddlewareFunc{
+				func(c *fiber.Ctx, next fiber.Handler) error {
+					if hasSecurityScopes(c) && c.Get(fiber.HeaderAuthorization) == "" {
+						return c.SendStatus(fiber.StatusUnauthorized)
+					}
+					return next(c)
+				},
+			},
+		})
+
+		req := httptest.NewRequest(http.MethodGet, "/auth-check", nil)
+		resp, err := r.Test(req)
+		assert.NoError(t, err)
+		assert.Equal(t, fiber.StatusUnauthorized, resp.StatusCode)
+
+		req = httptest.NewRequest(http.MethodGet, "/auth-check", nil)
+		req.Header.Set(fiber.HeaderAuthorization, "Bearer token")
+		resp, err = r.Test(req)
+		assert.NoError(t, err)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+
+		req = httptest.NewRequest(http.MethodGet, "/test", nil)
+		resp, err = r.Test(req)
+		assert.NoError(t, err)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+	})
+}
@@ -0,0 +1,21 @@
+openapi: "3.0.1"
+components:
+  securitySchemes:
+    bearerAuth:
+      scheme: bearer
+      type: http
+paths:
+  /auth-check:
+    get:
+      operationId: authCheck
+      security:
+        - bearerAuth: []
+      responses:
+        200:
+          description: good
+  /test:
+    get:
+      operationId: test
+      responses:
+        200:
+          description: good
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		package issue518

		//go:generate go run github.com/oapi-codegen/oapi-codegen/v2/cmd/oapi-codegen --config=config.yaml spec.yaml