docs(openapi): document apikey auth in openapi.json (#7534)

* docs(openapi): document apikey auth in openapi.json (#7532)

The API accepts the key via ?apikey=, ?api_key=, or the apikey header, but
only ?apikey= was advertised in /api-docs.json. /api/{version}/openapi.json
was worse: it hardcoded an OAuth2 scheme even when Etherpad was started in
apikey auth mode.

Switch both generators on settings.authenticationMethod and publish apiKey
schemes for the query (apikey, api_key) and header (apikey) variants. The
openapi.ts definition is now regenerated per request so runtime settings
are reflected.

The raw authorization: <key> header still works in code but is deliberately
not documented — pinning it in the spec would ossify a quirk.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor(openapi): add apiKeyAlias/apiKeyHeader conditionally in RestAPI.ts

In SSO mode, apiKeyAlias and apiKeyHeader were always present in
securitySchemes even though they're only relevant when
authenticationMethod is 'apikey'. Mirror the pattern used for the sso
scheme: add these two schemes dynamically inside the apikey branch, and
mark them optional in the TypeScript type annotation.

Agent-Logs-Url: https://github.com/ether/etherpad/sessions/1d440432-7389-462e-9aac-9a3c027640e8

Co-authored-by: JohnMcLear <220864+JohnMcLear@users.noreply.github.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: JohnMcLear <220864+JohnMcLear@users.noreply.github.com>
This commit is contained in:
John McLear 2026-04-18 17:09:18 +01:00 committed by GitHub
parent 0206e0447c
commit 66f49bb808
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 123 additions and 24 deletions

View file

@ -192,6 +192,16 @@ const prepareDefinition = (mapping: Map<string, Record<string, RestAPIMapping>>,
"in": string
},
"apiKeyAlias"?: {
"type": string,
"name": string,
"in": string
},
"apiKeyHeader"?: {
"type": string,
"name": string,
"in": string
},
"sso"?: {
"type": string,
"flows": {
@ -255,10 +265,20 @@ const prepareDefinition = (mapping: Map<string, Record<string, RestAPIMapping>>,
}
if (authenticationMethod === "apikey") {
definitions.components.securitySchemes.apiKeyAlias = {
type: "apiKey",
name: "api_key",
in: "query",
};
definitions.components.securitySchemes.apiKeyHeader = {
type: "apiKey",
name: "apikey",
in: "header",
};
definitions.security = [
{
"apiKey": []
}
{"apiKey": []},
{"apiKeyAlias": []},
{"apiKeyHeader": []},
]
} else if (authenticationMethod === "sso") {
definitions.components.securitySchemes.sso = {