feat(core): add validation for combo security schemes #1416

erossignon · erossignon · commit c9fa3db575fc · 2025-09-09T09:57:04.000+02:00
This commit introduces validation for combo security schemes to ensure
that a combo scheme contains either 'allOf' or 'oneOf', but not both.

- Throws an error if a combo scheme is invalid.
- Adds unit tests to verify the new validation logic.
diff --git a/packages/core/src/consumed-thing.ts b/packages/core/src/consumed-thing.ts
@@ -451,23 +451,25 @@ export default class ConsumedThing extends Thing implements IConsumedThing {
 
         const visitSchemes = (security: Array<string>) => {
             const resolveComboScheme = (
-                combo: ComboSecurityScheme
+                combo: ComboSecurityScheme,
+                name: string
             ): AllOfSecurityScheme | OneOfSecurityScheme | undefined => {
-                if (combo.allOf instanceof Array) {
+                if (combo.allOf instanceof Array && combo.oneOf === undefined) {
                     const allOf = visitSchemes(combo.allOf as string[]);
                     return <AllOfSecurityScheme>{
                         scheme: "combo",
                         allOf,
                     };
-                }
-                if (combo.oneOf instanceof Array) {
+                } else if (combo.oneOf instanceof Array && combo.allOf === undefined) {
                     const oneOf = visitSchemes(combo.oneOf as string[]);
                     return <OneOfSecurityScheme>{
                         scheme: "combo",
                         oneOf,
                     };
+                } else {
+                    // invalid combination that should be spotted by the TD schema verificator
+                    throw new Error(`Combo SecurityScheme '${name}' is invalid`);
                 }
-                return undefined; // not supported , but handled gracefully
             };
             const scs: SecurityScheme[] = [];
             for (const s of security) {
@@ -480,7 +482,7 @@ export default class ConsumedThing extends Thing implements IConsumedThing {
                 let ws: SecurityScheme | undefined = this.securityDefinitions[s];
                 // also push nosec in case of proxy
                 if (ws?.scheme === "combo") {
-                    ws = resolveComboScheme(ws as ComboSecurityScheme);
+                    ws = resolveComboScheme(ws as ComboSecurityScheme, s);
                 }
                 if (ws != null) {
                     scs.push(ws);
diff --git a/packages/core/test/ClientTest.ts b/packages/core/test/ClientTest.ts
@@ -21,7 +21,7 @@
  */
 
 import { suite, test } from "@testdeck/mocha";
-import { expect, should, use as chaiUse } from "chai";
+import { expect, should, use as chaiUse, assert } from "chai";
 
 import { Subscription } from "rxjs/Subscription";
 
@@ -1000,4 +1000,49 @@ class WoTClientTest {
         const a2 = second.allOf[0];
         expect(a1).equals(a2);
     }
+
+    @test "invalid combo with allOf AND onOf should be detected and throw"() {
+        const ct = new ConsumedThing(WoTClientTest.servient);
+        ct.securityDefinitions = {
+            // a badly designed combo has allOf and oneOf
+            a: {
+                scheme: "a",
+            },
+            b: {
+                scheme: "b",
+            },
+            combo_oneOf_and_allof: {
+                scheme: "combo",
+                allOf: ["a", "b"],
+                oneOf: ["a", "b"],
+            },
+        };
+        ct.security = ["combo_oneOf_and_allof"];
+        const pc = new TestProtocolClient();
+        const form: Form = {
+            href: "https://example.com/",
+        };
+        assert.throws(() => {
+            ct.ensureClientSecurity(pc, form);
+        }, /Combo SecurityScheme 'combo_oneOf_and_allof' is invalid/);
+    }
+
+    @test "invalid combo with missing allOf and oneOf should be detected and throw"() {
+        const ct = new ConsumedThing(WoTClientTest.servient);
+        ct.securityDefinitions = {
+            // a badly designed combo has NO allOf and NO oneOf
+
+            combo_without_oneOf_and_without_allof: {
+                scheme: "combo",
+            },
+        };
+        ct.security = ["combo_without_oneOf_and_without_allof"];
+        const pc = new TestProtocolClient();
+        const form: Form = {
+            href: "https://example.com/",
+        };
+        assert.throws(() => {
+            ct.ensureClientSecurity(pc, form);
+        }, /Combo SecurityScheme 'combo_without_oneOf_and_without_allof' is invalid/);
+    }
 }
