Skip to content

feat(core): add support for combo security #1416#1417

Merged
danielpeintner merged 4 commits into
eclipse-thingweb:masterfrom
node-opcua:feat/combo
Sep 12, 2025
Merged

feat(core): add support for combo security #1416#1417
danielpeintner merged 4 commits into
eclipse-thingweb:masterfrom
node-opcua:feat/combo

Conversation

@erossignon
Copy link
Copy Markdown
Contributor

@erossignon erossignon commented Sep 2, 2025

No description provided.

@erossignon erossignon mentioned this pull request Sep 2, 2025
Merged
@erossignon erossignon force-pushed the feat/combo branch 4 times, most recently from bfd7a91 to ebabb88 Compare September 2, 2025 15:15
relu91
relu91 requested changes Sep 4, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@relu91 relu91 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small changes (and also watch out that this PR has conflicts as it contains changes from #1418 )

Comment thread packages/core/src/consumed-thing.ts Outdated
Comment thread packages/core/src/consumed-thing.ts Outdated
@erossignon
Copy link
Copy Markdown
Contributor Author

erossignon commented Sep 4, 2025
edited
Loading

I am just adding this lingk https://w3c.github.io/wot-thing-description/ontology/wotsec#ComboSecurityScheme https://www.w3.org/TR/2023/REC-wot-thing-description11-20231205/#combosecurityscheme so we can easily retrieve the section that talks about ComboSecurityScheme in our discussion

@relu91
Copy link
Copy Markdown
Member

relu91 commented Sep 4, 2025

https://w3c.github.io/wot-thing-description/ontology/wotsec#ComboSecurityScheme

Sorry, but I don't get your point. Are you referring to this statement?

The oneOf combination is equivalent to using different security schemes on forms that are otherwise identical. In this sense a oneOf scheme is not an essential feature but it does avoid redundancy in such cases.

If that's so, I'm ok to return all the schemes referred in the oneOf field.

@erossignon
Copy link
Copy Markdown
Contributor Author

erossignon commented Sep 4, 2025

I believe we could also handle the case of oneOf , by passing a structure of resolved scheme downward. At the end of the day, the binding need to be made aware of the oneOf security scheme and choose one of them.
Let me propose something

@erossignon erossignon force-pushed the feat/combo branch 2 times, most recently from 9efc831 to 6fc35a3 Compare September 4, 2025 12:39
@erossignon erossignon marked this pull request as draft September 4, 2025 13:19
@erossignon
feat(core): refine combo security scheme implementation eclipse-thing…
0bc5c88 
…web#1416

  This commit refines the implementation of combo security schemes
  by introducing explicit AllOfSecurityScheme and OneOfSecurityScheme
  types.

  The getSecuritySchemes method in ConsumedThing has been updated to
  recursively resolve these schemes, and the tests have been expanded
  to cover nested allOf and oneOf scenarios.
@erossignon erossignon marked this pull request as ready for review September 4, 2025 16:29
danielpeintner
danielpeintner reviewed Sep 5, 2025
View reviewed changes
Comment thread packages/core/src/thing-description.ts
danielpeintner
danielpeintner reviewed Sep 5, 2025
View reviewed changes
Comment thread packages/core/src/thing-description.ts
relu91
relu91 reviewed Sep 8, 2025
View reviewed changes
Comment thread packages/core/src/consumed-thing.ts Outdated
oneOf,
};
}
return undefined; // not supported , but handled gracefully
Copy link
Copy Markdown
Member

@relu91 relu91 Sep 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danielpeintner, what do you think here? This is sort of a bad erroneous condition. It means that initial validation of the consumed thing didn't spot an unsupported security scheme, and we are returning an undefined that will result in a final sparse scs array (with undefined elements).

I believe it should be better to throw ...

Copy link
Copy Markdown
Member

@danielpeintner danielpeintner Sep 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with @relu91 that throwing in such a case is the better solution

Copy link
Copy Markdown
Contributor Author

@erossignon erossignon Sep 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of returning undefined, we could returning null. This would cause the scheme to be simply ignored.
In both cases this might cause unpredicable results, expecitally in the credentials settings ( could be ignored or by-passed) so I am i favor of throwing an exception too. ( defensive rather than accommodating )

@egekorkan
Copy link
Copy Markdown
Member

egekorkan commented Sep 8, 2025

I am just adding this lingk https://w3c.github.io/wot-thing-description/ontology/wotsec#ComboSecurityScheme so we can easily retrieve the section that talks about ComboSecurityScheme in our discussion

I would always point to published standards as that URL is more volatile: https://www.w3.org/TR/2023/REC-wot-thing-description11-20231205/#combosecurityscheme

danielpeintner
danielpeintner reviewed Sep 8, 2025
View reviewed changes
Comment thread packages/core/test/ClientTest.ts
@codecov
Copy link
Copy Markdown

codecov Bot commented Sep 9, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.54%. Comparing base (3325e12) to head (9ffcaa2).
⚠️ Report is 13 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #1417      +/-   ##
==========================================
- Coverage   77.58%   77.54%   -0.04%     
==========================================
  Files          79       79              
  Lines       15331    15381      +50     
  Branches     1445     1452       +7     
==========================================
+ Hits        11894    11927      +33     
- Misses       3414     3432      +18     
+ Partials       23       22       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@erossignon
feat(core): add validation for combo security schemes eclipse-thingwe…
c9fa3db 
…b#1416

This commit introduces validation for combo security schemes to ensure
that a combo scheme contains either 'allOf' or 'oneOf', but not both.

- Throws an error if a combo scheme is invalid.
- Adds unit tests to verify the new validation logic.
@danielpeintner danielpeintner mentioned this pull request Sep 11, 2025
Open
@danielpeintner
Copy link
Copy Markdown
Member

danielpeintner commented Sep 12, 2025

Thank you, @erossignon 👍

@danielpeintner danielpeintner merged commit e5bbddc into eclipse-thingweb:master Sep 12, 2025
14 checks passed
@danielpeintner danielpeintner mentioned this pull request Sep 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@egekorkan egekorkan egekorkan left review comments

@relu91 relu91 relu91 approved these changes

@danielpeintner danielpeintner danielpeintner approved these changes

@JKRhb JKRhb Awaiting requested review from JKRhb JKRhb is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@erossignon @relu91 @egekorkan @danielpeintner