fix: make security scheme overrides authoritative

Author: HavenDV

src/libs/AutoSDK/Extensions/OpenApiExtensions.cs

@@ -14,6 +14,39 @@ namespace AutoSDK.Extensions;
 
 public static class OpenApiExtensions
 {
+    private readonly struct SecurityParameterMatcher : IEquatable<SecurityParameterMatcher>
+    {
+        public SecurityParameterMatcher(
+            ParameterLocation location,
+            string name)
+        {
+            Location = location;
+            Name = name;
+        }
+
+        public ParameterLocation Location { get; }
+        public string Name { get; }
+
+        public bool Equals(SecurityParameterMatcher other)
+        {
+            return Location == other.Location &&
+                   string.Equals(Name, other.Name, StringComparison.OrdinalIgnoreCase);
+        }
+
+        public override bool Equals(object? obj)
+        {
+            return obj is SecurityParameterMatcher other && Equals(other);
+        }
+
+        public override int GetHashCode()
+        {
+            unchecked
+            {
+                return ((int)Location * 397) ^ StringComparer.OrdinalIgnoreCase.GetHashCode(Name ?? string.Empty);
+            }
+        }
+    }
+
     public static OpenApiDocument GetOpenApiDocument(
         this string yamlOrJson,
         Settings settings,
@@ -1094,7 +1127,9 @@ public static void InjectSecuritySchemes(
     {
         openApiDocument = openApiDocument ?? throw new ArgumentNullException(nameof(openApiDocument));
 
-        openApiDocument.Components!.SecuritySchemes ??= new Dictionary<string, IOpenApiSecurityScheme>();
+        openApiDocument.Components!.SecuritySchemes = new Dictionary<string, IOpenApiSecurityScheme>();
+        openApiDocument.Security = new List<OpenApiSecurityRequirement>();
+        var matchers = new HashSet<SecurityParameterMatcher>();
 
         foreach (var scheme in settings.SecuritySchemes)
         {
@@ -1146,6 +1181,80 @@ public static void InjectSecuritySchemes(
             {
                 [schemeRef] = new List<string>(),
             });
+            if (TryCreateSecurityParameterMatcher(schemeType, location, namePart, out var matcher))
+            {
+                matchers.Add(matcher);
+            }
+        }
+
+        var pathItems = openApiDocument.Paths != null
+            ? openApiDocument.Paths.Values.ToList()
+            : new List<IOpenApiPathItem>();
+        foreach (var pathItem in pathItems)
+        {
+            SuppressMatchingSecurityParameters(pathItem.Parameters, matchers);
+
+            foreach (var operation in pathItem.Operations?.Values ?? Enumerable.Empty<OpenApiOperation>())
+            {
+                operation.Security = new List<OpenApiSecurityRequirement>();
+                SuppressMatchingSecurityParameters(operation.Parameters, matchers);
+            }
+        }
+    }
+
+    private static void SuppressMatchingSecurityParameters(
+        IList<IOpenApiParameter>? parameters,
+        ISet<SecurityParameterMatcher> matchers)
+    {
+        if (parameters == null || parameters.Count == 0 || matchers.Count == 0)
+        {
+            return;
+        }
+
+        for (var i = parameters.Count - 1; i >= 0; i--)
+        {
+            var parameter = parameters[i];
+            if (string.IsNullOrWhiteSpace(parameter.Name))
+            {
+                continue;
+            }
+
+            if (parameter.In is not ParameterLocation parameterLocation)
+            {
+                continue;
+            }
+
+            var matcher = new SecurityParameterMatcher(parameterLocation, parameter.Name!);
+            if (matchers.Contains(matcher) ||
+                matchers.Any(x =>
+                    x.Location == parameterLocation &&
+                    string.Equals(x.Name, parameter.Name, StringComparison.OrdinalIgnoreCase)))
+            {
+                parameters.RemoveAt(i);
+            }
+        }
+    }
+
+    private static bool TryCreateSecurityParameterMatcher(
+        SecuritySchemeType schemeType,
+        ParameterLocation location,
+        string name,
+        out SecurityParameterMatcher matcher)
+    {
+        matcher = default;
+
+        switch (schemeType)
+        {
+            case SecuritySchemeType.Http:
+            case SecuritySchemeType.OAuth2:
+            case SecuritySchemeType.OpenIdConnect:
+                matcher = new SecurityParameterMatcher(ParameterLocation.Header, "Authorization");
+                return true;
+            case SecuritySchemeType.ApiKey when !string.IsNullOrWhiteSpace(name):
+                matcher = new SecurityParameterMatcher(location, name);
+                return true;
+            default:
+                return false;
         }
     }
 

src/tests/AutoSDK.IntegrationTests.Cli/CliTests.cs

@@ -573,6 +573,69 @@ await GenerateFromContentAsync(
             additionalArguments: ["--security-scheme", "Http:Header:Token"]);
     }
 
+    [TestMethod]
+    public async Task Generate_WithSecuritySchemeOverride_ReplacesAuthAndSuppressesDuplicateParameters()
+    {
+        const string spec = """
+openapi: 3.0.3
+info:
+  title: Auth Override
+  version: 1.0.0
+components:
+  securitySchemes:
+    queryKey:
+      type: apiKey
+      in: query
+      name: api_key
+paths:
+  /chat:
+    get:
+      operationId: getChat
+      security:
+        - queryKey: []
+      parameters:
+        - in: header
+          name: Authorization
+          schema:
+            type: string
+        - in: query
+          name: keep
+          schema:
+            type: string
+      responses:
+        '200':
+          description: OK
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  ok:
+                    type: boolean
+""";
+
+        await GenerateFromContentAsync(
+            fileName: "security-override.yaml",
+            specContent: spec,
+            targetFramework: "net10.0",
+            namespaceValue: "AuthOverride",
+            clientClassName: "AuthOverrideClient",
+            assertGeneratedOutput: async outputDirectory =>
+            {
+                var generatedContents = await Task.WhenAll(
+                    Directory.EnumerateFiles(outputDirectory, "*.g.cs", SearchOption.AllDirectories)
+                        .Select(path => File.ReadAllTextAsync(path)));
+                var content = string.Join("\n\n", generatedContents);
+
+                content.Should().Contain("AuthenticationHeaderValue(");
+                content.Should().Contain("\"Bearer\"");
+                content.Should().NotContain("ApiKeyInQuery");
+                content.Should().NotContain("string? authorization = default");
+                content.Should().Contain("string? keep = default");
+            },
+            additionalArguments: ["--security-scheme", "Http:Header:Bearer"]);
+    }
+
     [TestMethod]
     public async Task Generate_WithDuplicateQueryParameterNames_Builds()
     {

src/tests/AutoSDK.UnitTests/Tests.InjectSecuritySchemes.cs

@@ -249,4 +249,59 @@ public void InjectSecuritySchemes_InvalidFormat_Skips()
         // Assert
         document.Security.Should().BeEmpty();
     }
+
+    [TestMethod]
+    public void InjectSecuritySchemes_ReplacesOperationSecurity_AndSuppressesMatchingParameters()
+    {
+        var yaml = """
+openapi: 3.0.3
+info:
+  title: Auth Operation Security
+  version: 1.0.0
+components:
+  securitySchemes:
+    queryKey:
+      type: apiKey
+      in: query
+      name: api_key
+paths:
+  /chat:
+    get:
+      operationId: getChat
+      security:
+        - queryKey: []
+      parameters:
+        - in: header
+          name: Authorization
+          schema:
+            type: string
+        - in: query
+          name: keep
+          schema:
+            type: string
+      responses:
+        '200':
+          description: ok
+""";
+
+        var settings = Settings.Default with
+        {
+            SecuritySchemes = new[] { "Http:Header:Bearer" }.ToImmutableArray(),
+        };
+
+        var document = yaml.GetOpenApiDocument(settings);
+        var pathItem = document.Paths["/chat"];
+        pathItem.Should().NotBeNull();
+        pathItem!.Operations.Should().NotBeNull();
+        var operation = pathItem.Operations![System.Net.Http.HttpMethod.Get];
+
+        document.Components!.SecuritySchemes.Should().ContainSingle();
+        document.Security!.Should().ContainSingle();
+        document.Security[0].Keys.Single().Scheme.Should().Be("Bearer");
+
+        operation.Security.Should().NotBeNull();
+        operation.Security!.Should().BeEmpty();
+        operation.Parameters.Should().ContainSingle();
+        operation.Parameters![0].Name.Should().Be("keep");
+    }
 }