SecurityHandler evaluation order

[rokf]

Hi,

I'm dealing with a case where I get both a opaque bearer token (Authorization header) and a tenant ID (custom HTTP header) and have to check if the opaque bearer (access) token is valid with the help of the tenant ID.

This means that I (kind of) depend on the tenant ID presence and validity (apiKey auth) being checked before the bearer token is checked, so that I can pass some data from the apiKey security handler to the bearer handler through the context.Context.

I've noticed that the order in the security property in the OpenAPI specification doesn't matter, what matters is the security scheme name - the Go code generation template seems to depend on that for the order of the checks 🙁 I.e. bearerAuth will be checked before tenantID because b comes before t in the alphabet, but if I prefix tenantID with an a (i.e. atenantID) it'll be checked before the bearerAuth.

Another option for my use case is that I leave an empty HandleTenantID implementation and do everything in the HandleBearerAuth method - pull the custom HTTP header out of the request myself instead of ogen doing that for me 🤔 The tenantID security definition is kept only for documentation purposes in this case since the code generated from it is never used. Another option is that I define the tenantID header per endpoint where bearerAuth is used 🤷

Is there perhaps a better way to declare in which order the security checks should happen or would it be possible to adjust the templates in such a way that if security handlers are listed in groups an additional method would be generated for the SecurityHandler interface which would get both values? I.e.

security:
  - tenantID: []
    bearerAuth: []

type SecurityHandler interface {
  HandleBearerAuthTenantID(ctx context.Context, operationName OperationName, t BearerAuthTenantID) (context.Context, error)
}

Thanks!

Resources:

• https://ogen.dev/docs/misc/request_lifecycle#security-handlers
• https://swagger.io/docs/specification/v3_0/authentication/