[rust-salvo] Preserve OAuth2 scopes in endpoint security annotation

root · root · commit e488d1f850e3 · 2026-05-13T20:03:25.000+08:00
Pull the declared scopes from `CodegenSecurity.scopes` onto each Salvo
auth scheme descriptor and render them inside the
`#[salvo::oapi::endpoint(security(...))]` array. Previously every
scheme was emitted with an empty `[]`, dropping the OAuth2 / OIDC
authorization scopes from the OpenAPI source spec
(e.g. `("OAuth2" = [])` → `("OAuth2" = ["write:pets", "read:pets"])`).
diff --git a/modules/openapi-generator/src/main/java/org/openapitools/codegen/languages/RustSalvoServerCodegen.java b/modules/openapi-generator/src/main/java/org/openapitools/codegen/languages/RustSalvoServerCodegen.java
@@ -472,38 +472,68 @@ static class SalvoRouteGroup {
 
     // Auth scheme descriptor exposed to templates. `kind` is used to pick the
     // factory function in routes.mustache; `schemaName` shows up in the
-    // `#[salvo::oapi::endpoint(security(...))]` annotation.
+    // `#[salvo::oapi::endpoint(security(...))]` annotation along with any
+    // declared OAuth2/OIDC scopes.
     static class SalvoAuthScheme {
-        public String kind;        // "apiKey" | "basic" | "bearer"
-        public String factory;     // factory fn in middleware.rs
+        public String kind;        // "apiKey" | "basic" | "bearer" | "oauth2"
+        public String factory;     // factory fn in middleware.rs, null for oauth2
         public String schemaName;  // name used in OpenAPI security() annotation
+        public List<SalvoAuthScope> scopes;
 
-        SalvoAuthScheme(String kind, String factory, String schemaName) {
+        SalvoAuthScheme(String kind, String factory, String schemaName, List<SalvoAuthScope> scopes) {
             this.kind = kind;
             this.factory = factory;
             this.schemaName = schemaName;
+            this.scopes = scopes;
         }
 
         static SalvoAuthScheme fromCodegen(CodegenSecurity sec) {
+            List<SalvoAuthScope> scopeList = extractScopes(sec);
             if (Boolean.TRUE.equals(sec.isApiKey)) {
-                return new SalvoAuthScheme("apiKey", "api_key_auth", "ApiKeyAuth");
+                return new SalvoAuthScheme("apiKey", "api_key_auth", "ApiKeyAuth", scopeList);
             }
             if (Boolean.TRUE.equals(sec.isBasic) && Boolean.TRUE.equals(sec.isBasicBearer)) {
-                return new SalvoAuthScheme("bearer", "bearer_auth", "BearerAuth");
+                return new SalvoAuthScheme("bearer", "bearer_auth", "BearerAuth", scopeList);
             }
             if (Boolean.TRUE.equals(sec.isBasic) && Boolean.TRUE.equals(sec.isBasicBasic)) {
-                return new SalvoAuthScheme("basic", "basic_auth_hoop", "BasicAuth");
+                return new SalvoAuthScheme("basic", "basic_auth_hoop", "BasicAuth", scopeList);
             }
             if (Boolean.TRUE.equals(sec.isBasic)) {
-                return new SalvoAuthScheme("basic", "basic_auth_hoop", "BasicAuth");
+                return new SalvoAuthScheme("basic", "basic_auth_hoop", "BasicAuth", scopeList);
             }
             // OAuth2 / OpenIdConnect: leave runtime enforcement to the user,
-            // but still surface the scheme so the OpenAPI annotation is correct.
+            // but surface the scheme + scopes so the OpenAPI annotation stays
+            // faithful to the source spec.
             if (Boolean.TRUE.equals(sec.isOAuth)) {
-                return new SalvoAuthScheme("oauth2", null, "OAuth2");
+                return new SalvoAuthScheme("oauth2", null, "OAuth2", scopeList);
             }
             return null;
         }
+
+        @SuppressWarnings("unchecked")
+        private static List<SalvoAuthScope> extractScopes(CodegenSecurity sec) {
+            List<SalvoAuthScope> out = new ArrayList<>();
+            if (sec.scopes == null) {
+                return out;
+            }
+            for (Map<String, Object> entry : sec.scopes) {
+                Object name = entry.get("scope");
+                if (name != null) {
+                    out.add(new SalvoAuthScope(name.toString()));
+                }
+            }
+            return out;
+        }
+    }
+
+    // Single OAuth2/OIDC scope name. Held in its own class so mustache can
+    // render the comma-separated list naturally with `{{#-last}}` semantics.
+    static class SalvoAuthScope {
+        public String scope;
+
+        SalvoAuthScope(String scope) {
+            this.scope = scope;
+        }
     }
 
     @Override
diff --git a/modules/openapi-generator/src/main/resources/rust-salvo/handlers.mustache b/modules/openapi-generator/src/main/resources/rust-salvo/handlers.mustache
@@ -27,7 +27,7 @@ use crate::models::{self, *};
 #[salvo::oapi::endpoint(
     operation_id = "{{operationId}}",
     tags("{{classname}}"){{#vendorExtensions.x-has-auth}},
-    security({{#vendorExtensions.x-salvo-auth-schemes}}("{{schemaName}}" = []){{^-last}}, {{/-last}}{{/vendorExtensions.x-salvo-auth-schemes}}){{/vendorExtensions.x-has-auth}}
+    security({{#vendorExtensions.x-salvo-auth-schemes}}("{{schemaName}}" = [{{#scopes}}"{{scope}}"{{^-last}}, {{/-last}}{{/scopes}}]){{^-last}}, {{/-last}}{{/vendorExtensions.x-salvo-auth-schemes}}){{/vendorExtensions.x-has-auth}}
 )]
 pub async fn {{operationId}}(
 {{#hasParams}}
diff --git a/modules/openapi-generator/src/test/java/org/openapitools/codegen/rust/RustSalvoServerCodegenTest.java b/modules/openapi-generator/src/test/java/org/openapitools/codegen/rust/RustSalvoServerCodegenTest.java
@@ -137,6 +137,27 @@ public void testMiddlewareGeneration() throws IOException {
         TestUtils.assertFileNotContains(libPath, ".hoop(auth_middleware())");
     }
 
+    @Test
+    public void testOAuth2ScopesPropagateToEndpointAnnotation() throws IOException {
+        Path target = Files.createTempDirectory("salvo-oauth-scopes-test");
+        final CodegenConfigurator configurator = new CodegenConfigurator()
+                .setGeneratorName("rust-salvo")
+                .setInputSpec("src/test/resources/3_0/petstore.yaml")
+                .setSkipOverwrite(false)
+                .setOutputDir(target.toAbsolutePath().toString().replace("\\", "/"));
+
+        List<File> files = new DefaultGenerator().opts(configurator.toClientOptInput()).generate();
+        files.forEach(File::deleteOnExit);
+
+        // Petstore's `petstore_auth` OAuth2 scheme grants `write:pets` and
+        // `read:pets`; the generated endpoint annotation must carry those
+        // exact scopes rather than an empty list.
+        Path petHandlersPath = Path.of(target.toString(), "src/handlers/pet.rs");
+        TestUtils.assertFileExists(petHandlersPath);
+        TestUtils.assertFileContains(petHandlersPath,
+                "security((\"OAuth2\" = [\"write:pets\", \"read:pets\"]))");
+    }
+
     @Test
     public void testSerdeRenameOnCamelCaseFields() throws IOException {
         Path target = Files.createTempDirectory("salvo-rename-test");
diff --git a/samples/server/petstore/rust-salvo/output/petstore/src/handlers/pet.rs b/samples/server/petstore/rust-salvo/output/petstore/src/handlers/pet.rs
@@ -24,7 +24,7 @@ use crate::models::{self, *};
 #[salvo::oapi::endpoint(
     operation_id = "add_pet",
     tags("pet"),
-    security(("OAuth2" = []))
+    security(("OAuth2" = ["write:pets", "read:pets"]))
 )]
 pub async fn add_pet(
     pet: JsonBody<Pet>,
@@ -40,7 +40,7 @@ pub async fn add_pet(
 #[salvo::oapi::endpoint(
     operation_id = "delete_pet",
     tags("pet"),
-    security(("OAuth2" = []))
+    security(("OAuth2" = ["write:pets", "read:pets"]))
 )]
 pub async fn delete_pet(
     pet_id: PathParam<i64>,
@@ -57,7 +57,7 @@ pub async fn delete_pet(
 #[salvo::oapi::endpoint(
     operation_id = "find_pets_by_status",
     tags("pet"),
-    security(("OAuth2" = []))
+    security(("OAuth2" = ["read:pets"]))
 )]
 pub async fn find_pets_by_status(
     status: QueryParam<Vec<String>, true>,
@@ -73,7 +73,7 @@ pub async fn find_pets_by_status(
 #[salvo::oapi::endpoint(
     operation_id = "find_pets_by_tags",
     tags("pet"),
-    security(("OAuth2" = []))
+    security(("OAuth2" = ["read:pets"]))
 )]
 pub async fn find_pets_by_tags(
     tags: QueryParam<Vec<String>, true>,
@@ -105,7 +105,7 @@ pub async fn get_pet_by_id(
 #[salvo::oapi::endpoint(
     operation_id = "update_pet",
     tags("pet"),
-    security(("OAuth2" = []))
+    security(("OAuth2" = ["write:pets", "read:pets"]))
 )]
 pub async fn update_pet(
     pet: JsonBody<Pet>,
@@ -121,7 +121,7 @@ pub async fn update_pet(
 #[salvo::oapi::endpoint(
     operation_id = "update_pet_with_form",
     tags("pet"),
-    security(("OAuth2" = []))
+    security(("OAuth2" = ["write:pets", "read:pets"]))
 )]
 pub async fn update_pet_with_form(
     pet_id: PathParam<i64>,
@@ -139,7 +139,7 @@ pub async fn update_pet_with_form(
 #[salvo::oapi::endpoint(
     operation_id = "upload_file",
     tags("pet"),
-    security(("OAuth2" = []))
+    security(("OAuth2" = ["write:pets", "read:pets"]))
 )]
 pub async fn upload_file(
     pet_id: PathParam<i64>,
