Skip to content

[typescript-axios] Add detection for AWS IAM from schema #21356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
+1,967 −15
Open

[typescript-axios] Add detection for AWS IAM from schema #21356

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cc2a444
Detect AWS IAM Auth by looking for common patterns
NiltiakSivad May 30, 2025
910a15d
Add sample demonstrating passed withAwsSignature variable works
NiltiakSivad May 30, 2025
d145b9e
Add comments to yaml example file calling out the patterns
NiltiakSivad Jun 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions bin/configs/typescript-axios-aws-iam.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
generatorName: typescript-axios
outputDir: samples/client/petstore/typescript-axios/builds/with-aws-iam
inputSpec: modules/openapi-generator/src/test/resources/3_0/typescript-axios/with-aws-iam.yaml
templateDir: modules/openapi-generator/src/main/resources/typescript-axios
additionalProperties:
npmVersion: 1.0.0
npmName: '@openapitools/typescript-axios-with-aws-iam'
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is my setup, but let me know if you think I should add a specific combination

npmRepository: https://skimdb.npmjs.com/registry
supportsES6: true
withNodeImports: true
withSeparateModelsAndApi: true
apiPackage: client
modelPackage: models
enumPropertyNaming: UPPERCASE
7 changes: 5 additions & 2 deletions modules/openapi-generator/src/main/java/org/openapitools/codegen/CodegenSecurity.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ public class CodegenSecurity {
// Those are to differentiate basic and bearer authentication
// isHttpSignature is to support HTTP signature authorization scheme.
// https://datatracker.ietf.org/doc/draft-cavage-http-signatures/
public Boolean isBasicBasic, isBasicBearer, isHttpSignature;
public Boolean isBasicBasic, isBasicBearer, isHttpSignature, isAWSV4Signature;
Copy link
Author

@NiltiakSivad NiltiakSivad May 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Surprised this wasn't already here given AWS IAM is supported in the go generator? Anticipating some feedback 👂

public String bearerFormat;
public Map<String, Object> vendorExtensions = new HashMap<String, Object>();
// ApiKey specific
Expand All @@ -56,6 +56,7 @@ public CodegenSecurity(CodegenSecurity original) {
this.isBasic = original.isBasic;
this.isBasicBasic = original.isBasicBasic;
this.isHttpSignature = original.isHttpSignature;
this.isAWSV4Signature = original.isAWSV4Signature;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this only used in the test or also in the template?

Copy link
Author

@NiltiakSivad NiltiakSivad Jun 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will be used in the template to dynamically generate different code.

I figured stopping at the detection of using AWS Auth was a good way to separate out for smaller PRs for earlier feedback since what I have here in this PR doesn't break anything and only expands functionality

this.bearerFormat = original.bearerFormat;
this.isBasicBearer = original.isBasicBearer;
this.isApiKey = original.isApiKey;
Expand Down Expand Up @@ -134,6 +135,7 @@ public boolean equals(Object o) {
Objects.equals(isApiKey, that.isApiKey) &&
Objects.equals(isBasicBasic, that.isBasicBasic) &&
Objects.equals(isHttpSignature, that.isHttpSignature) &&
Objects.equals(isAWSV4Signature, that.isAWSV4Signature) &&
Objects.equals(isBasicBearer, that.isBasicBearer) &&
Objects.equals(bearerFormat, that.bearerFormat) &&
Objects.equals(vendorExtensions, that.vendorExtensions) &&
Expand All @@ -157,7 +159,7 @@ public boolean equals(Object o) {
public int hashCode() {

return Objects.hash(name, description, type, scheme, isBasic, isOAuth, isOpenId, isApiKey,
isBasicBasic, isHttpSignature, isBasicBearer, bearerFormat, vendorExtensions,
isBasicBasic, isHttpSignature, isAWSV4Signature, isBasicBearer, bearerFormat, vendorExtensions,
keyParamName, isKeyInQuery, isKeyInHeader, isKeyInCookie, flow,
authorizationUrl, tokenUrl, refreshUrl, scopes, isCode, isPassword, isApplication, isImplicit,
openIdConnectUrl);
Expand All @@ -176,6 +178,7 @@ public String toString() {
sb.append(", isApiKey=").append(isApiKey);
sb.append(", isBasicBasic=").append(isBasicBasic);
sb.append(", isHttpSignature=").append(isHttpSignature);
sb.append(", isAWSV4Signature=").append(isAWSV4Signature);
sb.append(", isBasicBearer=").append(isBasicBearer);
sb.append(", bearerFormat='").append(bearerFormat).append('\'');
sb.append(", vendorExtensions=").append(vendorExtensions);
Expand Down
114 changes: 104 additions & 10 deletions ...erator/src/main/java/org/openapitools/codegen/languages/TypeScriptAxiosClientCodegen.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,12 @@

package org.openapitools.codegen.languages;

import io.swagger.v3.oas.models.media.Schema;
import io.swagger.v3.parser.util.SchemaTypeUtil;
import lombok.Getter;
import lombok.Setter;
import java.io.File;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.TreeSet;

import org.apache.commons.lang3.StringUtils;
import org.openapitools.codegen.*;
import org.openapitools.codegen.meta.features.DocumentationFeature;
Expand All @@ -30,12 +32,15 @@
import org.openapitools.codegen.model.OperationMap;
import org.openapitools.codegen.model.OperationsMap;
import org.openapitools.codegen.utils.ModelUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.File;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.TreeSet;
import io.swagger.v3.oas.models.OpenAPI;
import io.swagger.v3.oas.models.media.Schema;
import io.swagger.v3.oas.models.security.SecurityScheme;
import io.swagger.v3.parser.util.SchemaTypeUtil;
import lombok.Getter;
import lombok.Setter;

public class TypeScriptAxiosClientCodegen extends AbstractTypeScriptClientCodegen {

Expand All @@ -53,6 +58,8 @@ public class TypeScriptAxiosClientCodegen extends AbstractTypeScriptClientCodege
public static final String AXIOS_VERSION = "axiosVersion";
public static final String DEFAULT_AXIOS_VERSION = "^1.6.1";

private final Logger LOGGER = LoggerFactory.getLogger(TypeScriptAxiosClientCodegen.class);

@Getter @Setter
protected String npmRepository = null;
protected Boolean stringEnums = false;
Expand Down Expand Up @@ -121,6 +128,76 @@ private static String getRelativeToRoot(String path) {
return sb.toString();
}

@Override
public void preprocessOpenAPI(OpenAPI openAPI) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i would suggest to move it to the core, since its not typescript-specific, right?
also, i don't understand where the withAWSV4Signature is used in the template?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@macjohnny Thanks for your review! It isn't used in the templates yet, I was saving that for a Part 2 in an effort to keep the PR small and to collect feedback early. However, in package.mustache I made a small modification to show that the variable is being passed.

By moving to "core" do you mean modifying the DefaultCodegen or making changes to the openapi-generator-core module?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed with johnny suggestion to move it to the "core" : https://github.com/OpenAPITools/openapi-generator/blob/master/modules/openapi-generator/src/main/java/org/openapitools/codegen/DefaultCodegen.java#L5623-L5718

also agreed with your reply to do it in another PR instead to keep this PR small for easier review

super.preprocessOpenAPI(openAPI);

boolean hasAwsV4Signature = detectAwsV4Signature(openAPI);
additionalProperties.put("withAWSV4Signature", hasAwsV4Signature);
}

/**
* Detects if the OpenAPI specification uses AWS V4 signature authentication
* by checking for common patterns used in AWS API Gateway specifications.
*/
private boolean detectAwsV4Signature(OpenAPI openAPI) {
// Check security schemes for AWS V4 signature patterns
if (openAPI.getComponents() != null && openAPI.getComponents().getSecuritySchemes() != null) {
return openAPI.getComponents().getSecuritySchemes().entrySet().stream()
.anyMatch(entry -> isAwsV4SecurityScheme(entry.getKey(), entry.getValue(), openAPI));
}

return false;
}

/**
* Determines if a security scheme represents AWS V4 signature authentication
*/
private boolean isAwsV4SecurityScheme(String schemeName, SecurityScheme scheme, OpenAPI openAPI) {
if (scheme == null) {
return false;
}

// Pattern 1: Check for AWS-specific extension
if (scheme.getExtensions() != null) {
Object authType = scheme.getExtensions().get("x-amazon-apigateway-authtype");
if ("awsSigv4".equals(authType)) {
return true;
}
}

// Pattern 2: Check for common AWS V4 signature scheme names
String lowerSchemeName = schemeName.toLowerCase(Locale.ROOT);
if (lowerSchemeName.contains("sigv4") ||
lowerSchemeName.contains("aws") ||
lowerSchemeName.contains("iam")) {

// Additional validation: should be apiKey type with Authorization header
if (SecurityScheme.Type.APIKEY.equals(scheme.getType()) &&
"Authorization".equalsIgnoreCase(scheme.getName()) &&
SecurityScheme.In.HEADER.equals(scheme.getIn())) {
return true;
}
}

// Pattern 3: Check for AWS API Gateway URL patterns in servers
if (openAPI.getServers() != null) {
boolean hasAwsApiGatewayUrl = openAPI.getServers().stream()
.anyMatch(server -> server.getUrl() != null &&
(server.getUrl().contains("execute-api") && server.getUrl().contains("amazonaws.com")));

// If we have AWS API Gateway URL and an Authorization header scheme, likely AWS V4
if (hasAwsApiGatewayUrl &&
SecurityScheme.Type.APIKEY.equals(scheme.getType()) &&
"Authorization".equalsIgnoreCase(scheme.getName()) &&
SecurityScheme.In.HEADER.equals(scheme.getIn())) {
return true;
}
}

return false;
}

@Override
public void processOpts() {
super.processOpts();
Expand Down Expand Up @@ -182,7 +259,6 @@ public void processOpts() {
setAxiosVersion(additionalProperties.get(AXIOS_VERSION).toString());
}
additionalProperties.put("axiosVersion", getAxiosVersion());

}

@Override
Expand Down Expand Up @@ -363,4 +439,22 @@ protected void addImport(Schema composed, Schema childSchema, CodegenModel model
// import everything (including child schema of a composed schema)
addImport(model, modelName);
}

@Override
public List<CodegenSecurity> fromSecurity(Map<String, SecurityScheme> securitySchemeMap) {
List<CodegenSecurity> securities = super.fromSecurity(securitySchemeMap);

// Post-process security schemes to detect AWS V4 signature
for (CodegenSecurity security : securities) {
if (securitySchemeMap.containsKey(security.name)) {
SecurityScheme scheme = securitySchemeMap.get(security.name);
if (isAwsV4SecurityScheme(security.name, scheme, this.openAPI)) {
security.isAWSV4Signature = true;
LOGGER.info("Detected AWS V4 signature security scheme: {}", security.name);
}
}
}

return securities;
}
}
4 changes: 3 additions & 1 deletion modules/openapi-generator/src/main/resources/typescript-axios/package.mustache
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,9 @@
"prepare": "npm run build"
},
"dependencies": {
"axios": "{{axiosVersion}}"
"axios": "{{axiosVersion}}"{{#withAWSV4Signature}},
Copy link
Author

@NiltiakSivad NiltiakSivad May 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can remove this before merge but wanted to show it working with a conditional

"aws4": "^1.11.0",
"@aws-sdk/credential-provider-node": "^3.400.0"{{/withAWSV4Signature}}
},
"devDependencies": {
"@types/node": "12.11.5 - 12.20.42",
Expand Down
82 changes: 80 additions & 2 deletions ...test/java/org/openapitools/codegen/typescript/axios/TypeScriptAxiosClientCodegenTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,23 @@
package org.openapitools.codegen.typescript.axios;

import static org.assertj.core.api.Assertions.assertThat;
import static org.testng.Assert.assertEquals;
import static org.testng.Assert.assertFalse;
import static org.testng.Assert.assertTrue;

import java.util.List;
import java.util.Map;

import org.openapitools.codegen.CodegenConstants;
import org.openapitools.codegen.CodegenSecurity;
import org.openapitools.codegen.SupportingFile;
import org.openapitools.codegen.TestUtils;
import org.openapitools.codegen.languages.TypeScriptAxiosClientCodegen;
import org.openapitools.codegen.typescript.TypeScriptGroups;
import org.testng.annotations.Test;

import static org.assertj.core.api.Assertions.assertThat;
import static org.testng.Assert.assertEquals;
import io.swagger.v3.oas.models.OpenAPI;
import io.swagger.v3.oas.models.security.SecurityScheme;

@Test(groups = {TypeScriptGroups.TYPESCRIPT, TypeScriptGroups.TYPESCRIPT_AXIOS})
public class TypeScriptAxiosClientCodegenTest {
Expand Down Expand Up @@ -130,4 +140,72 @@ public void testAppliesCustomAxiosVersion() {

assertEquals(codegen.additionalProperties().get("axiosVersion"), "^1.2.3");
}

@Test
public void testDetectsAwsIamAuthenticationWithExtension() {
OpenAPI openAPI = TestUtils.parseFlattenSpec("src/test/resources/3_0/typescript-axios/with-aws-iam.yaml");
TypeScriptAxiosClientCodegen codegen = new TypeScriptAxiosClientCodegen();

// Call preprocessOpenAPI which will detect AWS and set the property
codegen.preprocessOpenAPI(openAPI);

// Should detect AWS V4 signature due to x-amazon-apigateway-authtype extension
assertTrue((Boolean) codegen.additionalProperties().get(CodegenConstants.WITH_AWSV4_SIGNATURE_COMMENT));
}

@Test
public void testDetectsAwsIamAuthenticationWithNaming() {
OpenAPI openAPI = TestUtils.parseFlattenSpec("src/test/resources/3_0/typescript-axios/with-aws-iam.yaml");
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test is technically the same as the above at the moment. I wanted to see if others felt good about the 3 different detection mechanisms. I can split the example out into multiple so that all 3 patterns are not found in 1 file, and each can be tested in isolation without the potential for a false positive.

TypeScriptAxiosClientCodegen codegen = new TypeScriptAxiosClientCodegen();

// Call preprocessOpenAPI which will detect AWS and set the property
codegen.preprocessOpenAPI(openAPI);

// Should detect AWS V4 signature due to scheme name patterns and AWS API Gateway URL
assertTrue((Boolean) codegen.additionalProperties().get(CodegenConstants.WITH_AWSV4_SIGNATURE_COMMENT));
}

@Test
public void testDoesNotDetectAwsIamInRegularPetstore() {
OpenAPI openAPI = TestUtils.parseFlattenSpec("src/test/resources/3_0/petstore.yaml");
TypeScriptAxiosClientCodegen codegen = new TypeScriptAxiosClientCodegen();

// Call preprocessOpenAPI
codegen.preprocessOpenAPI(openAPI);

// Should NOT detect AWS V4 signature in regular petstore
assertFalse(codegen.additionalProperties().containsKey(CodegenConstants.WITH_AWSV4_SIGNATURE_COMMENT) &&
(Boolean) codegen.additionalProperties().get(CodegenConstants.WITH_AWSV4_SIGNATURE_COMMENT));
}

@Test
public void testDoesNotDetectAwsIamInSwagger2Petstore() {
OpenAPI openAPI = TestUtils.parseFlattenSpec("src/test/resources/2_0/petstore.yaml");
TypeScriptAxiosClientCodegen codegen = new TypeScriptAxiosClientCodegen();

// Call preprocessOpenAPI
codegen.preprocessOpenAPI(openAPI);

// Should NOT detect AWS V4 signature in Swagger 2.0 petstore either
assertFalse(codegen.additionalProperties().containsKey(CodegenConstants.WITH_AWSV4_SIGNATURE_COMMENT) &&
(Boolean) codegen.additionalProperties().get(CodegenConstants.WITH_AWSV4_SIGNATURE_COMMENT));
}

@Test
public void testFromSecuritySetsAwsV4Flag() {
OpenAPI openAPI = TestUtils.parseFlattenSpec("src/test/resources/3_0/typescript-axios/with-aws-iam.yaml");
TypeScriptAxiosClientCodegen codegen = new TypeScriptAxiosClientCodegen();

// Call preprocessOpenAPI first to set up the openAPI object
codegen.preprocessOpenAPI(openAPI);

// Test fromSecurity method directly
Map<String, SecurityScheme> securitySchemes =
openAPI.getComponents().getSecuritySchemes();
List<CodegenSecurity> securities = codegen.fromSecurity(securitySchemes);

// Should have AWS V4 signature flagged on individual security schemes
boolean hasAwsV4 = securities.stream().anyMatch(s -> Boolean.TRUE.equals(s.isAWSV4Signature));
assertTrue(hasAwsV4, "fromSecurity should set isAWSV4Signature=true for AWS schemes");
}
}
Loading