feat: update revenue endpoint auth#5
Conversation
![redocly[bot]](https://avatars.githubusercontent.com/in/348054?s=60&v=4){kind=small}
There was a problem hiding this comment.
cafe AI Review: 🟢 Completed
Reunite Bot has reviewed your changes and found 2 potential issue(s).
Note
Low Risk
This PR poses minimal risk as the changes are isolated to OpenAPI schema definitions and a UI configuration hook. Adding a new scope and alternative authentication method for a single endpoint is non-disruptive and maintains backward compatibility.
Overview
Updates the Cafe API documentation to support dual authentication for the /revenue endpoint, adding OAuth2 alongside the existing API Key auth. Introduces a new revenue:read scope across OAuth2 security definitions, schema components (OAuth2Client, RegisterClientObject), and examples. Additionally, updates the internal theme replay configuration to recognize the newly added scope.
| - menu:write | ||
| - orders:read | ||
| - orders:write | ||
| - revenue:read |
There was a problem hiding this comment.
The description still lists "(menu:read, menu:write, orders:read, orders:write)" as all available scopes. It should be updated to include the newly added "revenue:read" scope for consistency with the schema.
| security: | ||
| - ApiKey: [] | ||
| - OAuth2: | ||
| - revenue:read |
There was a problem hiding this comment.
The ApiKey remains an alternative to OAuth2 for the sensitive /revenue endpoint. Since ApiKey lacks scope restrictions, it could allow over-privileged access, bypassing the granular revenue:read scope intended for this financial data.
1 participant
Updated Cafe API revenue endpoint with double auth type security.
The reason for that - is the easier demonstration.
So now both OAuth2 and APIKey auth will work for
revenueendpoint.Also introduced new
revenue:readscope.