Don't generate constants for undefined scopes#2372
Merged
Conversation
A spec that lists a scheme under top-level or operation `security:` without declaring it in `components/securitySchemes` previously emitted a constant like `Api_keyScopes apiKeyContextKey = "api_key.Scopes"` while the `apiKeyContextKey` type itself was never generated. The output failed to compile with `undefined: apiKeyContextKey`, and per-framework middleware templates emitted matching dangling `context.WithValue(ctx, Api_keyScopes, ...)` references when servers were generated. Filter operation `SecurityDefinitions` against the set of schemes actually defined in `components/securitySchemes` in `OperationDefinitions`. Both the constants block and the per-framework middleware now stay in sync with the types that get emitted, so generated code compiles whether or not the spec defines every referenced scheme. Closes: #2367 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Greptile SummaryThis PR keeps generated security-scope constants in sync with declared OpenAPI security schemes. The main changes are:
Confidence Score: 5/5This looks safe to merge.
|
| Filename | Overview |
|---|---|
| pkg/codegen/operations.go | Adds central filtering for undefined security schemes before constants and middleware templates consume operation security metadata. |
| internal/test/issues/issue-2367/spec.yaml | Adds a minimal spec that references a security scheme without defining it. |
| internal/test/issues/issue-2367/api.gen.go | Adds generated output showing the undefined scheme no longer creates dangling scope constants or middleware references. |
Reviews (1): Last reviewed commit: "Don't generate constants for undefined s..." | Re-trigger Greptile
jamietanna
reviewed
May 16, 2026
| github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk= | ||
| github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk= | ||
| github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4= | ||
| github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= |
Member
There was a problem hiding this comment.
Why are these being removed? 🤔
Member
Author
There was a problem hiding this comment.
I don't know. I run "make tidy" before staging every commit, and I don't ask questions when 'go.sum' changes, because it's never wrong :)
Member
There was a problem hiding this comment.
(Looks like the first recent commit that didn't run make tidy was fbc8e0d, FYI)
jamietanna
added a commit
to oapi-codegen/actions
that referenced
this pull request
May 17, 2026
As noted in oapi-codegen/oapi-codegen#2372, otherwise this leads to cases where we're not correctly `go mod tidy`ing across the project. As all our projects have a `tidy-ci`, we can use that task.
jamietanna
added a commit
to oapi-codegen/actions
that referenced
this pull request
May 17, 2026
As noted in oapi-codegen/oapi-codegen#2372, otherwise this leads to cases where we're not correctly `go mod tidy`ing across the project. As all our projects have a `tidy-ci`, we can use that task.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A spec that lists a scheme under top-level or operation
security:without declaring it incomponents/securitySchemespreviously emitted a constant likeApi_keyScopes apiKeyContextKey = "api_key.Scopes"while theapiKeyContextKeytype itself was never generated. The output failed to compile withundefined: apiKeyContextKey, and per-framework middleware templates emitted matching danglingcontext.WithValue(ctx, Api_keyScopes, ...)references when servers were generated.Filter operation
SecurityDefinitionsagainst the set of schemes actually defined incomponents/securitySchemesinOperationDefinitions. Both the constants block and the per-framework middleware now stay in sync with the types that get emitted, so generated code compiles whether or not the spec defines every referenced scheme.Closes: #2367