Skip to content

feat(car-sharing): authz-aware OpenAPI generation#34

Merged
intech merged 1 commit into
mainfrom
feat/car-sharing-openapi
Jun 23, 2026
Merged

feat(car-sharing): authz-aware OpenAPI generation#34
intech merged 1 commit into
mainfrom
feat/car-sharing-openapi

Conversation

@intech

@intech intech commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

What

Adds OpenAPI v3.1 generation to the car-sharing example so the published contract reflects Connectum's proto authz — the same options createProtoAuthzInterceptor enforces at runtime also drive the spec, so the two cannot drift.

How

Two decoupled steps, run via pnpm openapi:

  1. Base specbuf.gen.openapi.yaml (separate from the offline buf.gen.yaml) runs the sudorandom/protoc-gen-connect-openapi buf remote plugin → OpenAPI v3.1 under openapi/. Isolated so the network plugin never runs during buf:generate/tests.
  2. Authz overlayscripts/openapi-authz.ts reads connectum.auth.v1 options via resolveMethodAuth (the same reader the runtime interceptor uses) and injects per-operation security (bearerAuth), security: [] + x-connectum-public for public methods, and x-connectum-required-roles/-scopes.

Verified

  • TripService (4 methods): StartTrip/GetTripbearerAuth (secured); EndTrip/RecordTripsecurity: [] + x-connectum-public (tokenless worker RPCs). Confirmed against the generated openapi/trips/v1/trips.openapi.yaml paths.
  • FleetService.ListVehicles is server-streaming → no operation in the base spec (overlay skips it); fleet/billing are public.
  • pnpm typecheck ✓ · pnpm test 39/39 ✓
  • Works on the published @connectum/auth 1.0.0 (the ./proto subpath export). No published-package change.

Design rationale: ADR-030; usage: the OpenAPI guide (docs PR).

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Published OpenAPI 3.1 specifications for Billing, Fleet, and Trips services with complete HTTP endpoint definitions, request/response schemas, error handling details, and JWT authentication requirements
    • Automated authorization metadata injection into OpenAPI specifications
  • Documentation

    • Added detailed OpenAPI generation and regeneration process documentation with configuration and usage instructions

Add OpenAPI v3.1 generation that reflects Connectum's proto authz, so the
published contract cannot drift from what the gateway enforces at runtime.

- buf.gen.openapi.yaml: separate template (inputs: proto) running the
  sudorandom/protoc-gen-connect-openapi buf remote plugin, kept apart from the
  offline buf.gen.yaml so the network plugin never runs during buf:generate.
- scripts/openapi-authz.ts: overlay that reads connectum.auth.v1 options via
  resolveMethodAuth — the same reader createProtoAuthzInterceptor uses — and
  injects per-operation security (bearerAuth), security: [] +
  x-connectum-public for public methods, and x-connectum-required-roles/-scopes.
- openapi/{trips,fleet,billing}/v1/*.openapi.yaml: the committed showcase output.
- package.json: `pnpm openapi` script (base gen → authz overlay) + yaml devDep.
- README: "OpenAPI — the published contract reflects the authz" section.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01MdeH7fExPmiRHRirGuvGk3
@github-actions github-actions Bot added the type:feature New feature or enhancement request label Jun 23, 2026
@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c0da8c8d-ec65-4531-9eaa-83422342b200

📥 Commits

Reviewing files that changed from the base of the PR and between addad23 and 3a6d20e.

📒 Files selected for processing (7)
  • car-sharing/README.md
  • car-sharing/buf.gen.openapi.yaml
  • car-sharing/openapi/billing/v1/billing.openapi.yaml
  • car-sharing/openapi/fleet/v1/fleet.openapi.yaml
  • car-sharing/openapi/trips/v1/trips.openapi.yaml
  • car-sharing/package.json
  • car-sharing/scripts/openapi-authz.ts

📝 Walkthrough

Walkthrough

Adds a two-step OpenAPI generation pipeline to the car-sharing example. A new buf.gen.openapi.yaml config generates base specs from proto using the sudorandom-connect-openapi plugin. A new scripts/openapi-authz.ts script then overlays JWT bearer security and x-connectum-* extensions per operation via resolveMethodAuth. Three generated OpenAPI 3.1.0 specs are committed for Billing, Fleet, and Trips services. A README section documents the pipeline.

Changes

OpenAPI Generation Pipeline

Layer / File(s) Summary
Generation tooling: buf config and npm script
car-sharing/buf.gen.openapi.yaml, car-sharing/package.json
Adds buf.gen.openapi.yaml for base spec generation via the sudorandom-connect-openapi plugin, wires a new openapi npm script chaining buf and the overlay script, and adds yaml as a devDependency.
Authz overlay script
car-sharing/scripts/openapi-authz.ts
Parses each service's generated YAML, injects a bearerAuth security scheme, iterates methods via resolveMethodAuth to set per-operation security arrays and x-connectum-* extensions (public flag, required roles/scopes), writes updated specs, and deletes the generated openapi/connectum noise spec.
Generated OpenAPI contracts
car-sharing/openapi/billing/v1/billing.openapi.yaml, car-sharing/openapi/fleet/v1/fleet.openapi.yaml, car-sharing/openapi/trips/v1/trips.openapi.yaml
Three OpenAPI 3.1.0 specs for Billing (5 POST ops), Fleet (3 POST ops + 1 stub), and Trips (4 POST ops), each with Connect header parameters, domain request/response schemas, a shared connect.error model, bearerAuth security scheme, and per-operation security entries reflecting proto authz options.
README documentation
car-sharing/README.md
Adds a section describing the two-step generation flow, per-operation security injection behavior, streaming RPC omission, and the pending x-internal handling for internal proto methods.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

type:feature

Poem

🐇 Hop, hop, a spec appears,
From proto fields to YAML frontiers!
Bearer tokens, roles, and scopes in view,
The OpenAPI contract shines brand new.
Public paths wave with an empty array,
While internal hops stay locked away. 🔐

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/car-sharing-openapi

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@intech intech merged commit 7619fb2 into main Jun 23, 2026
6 of 7 checks passed
@intech intech deleted the feat/car-sharing-openapi branch June 23, 2026 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type:feature New feature or enhancement request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant