feat(spp_api_v2): OpenAPI polymorphic bodies, OAuth2 scheme in auth middleware, bundle schemas (re-land from #76)#276
feat(spp_api_v2): OpenAPI polymorphic bodies, OAuth2 scheme in auth middleware, bundle schemas (re-land from #76)#276gonzalesedwin1123 wants to merge 3 commits into
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces polymorphic OpenAPI schema utilities to document BundleEntry.resource as a polymorphic Individual/Group body, replaces the plain HTTPBearer authentication scheme with an OAuth2 client-credentials scheme, and adds corresponding contract and unit tests. The review feedback highlights two main improvements: first, in openapi_polymorphic.py, the custom OpenAPI hook should call the original app.openapi method instead of calling get_openapi directly to avoid discarding app metadata; second, in auth.py, the token extraction should strip any leading or trailing whitespace after slicing the 'Bearer ' prefix to ensure robust JWT decoding.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| def custom_openapi(): | ||
| if app.openapi_schema: | ||
| return app.openapi_schema | ||
| schema = get_openapi( | ||
| title=app.title, | ||
| version=app.version, | ||
| description=app.description, | ||
| routes=app.routes, | ||
| ) | ||
| components = schema.setdefault("components", {}).setdefault("schemas", {}) |
There was a problem hiding this comment.
Calling get_openapi directly with only a subset of parameters (title, version, description, routes) discards other important metadata configured on the FastAPI app instance, such as contact and license_info (which are explicitly defined in fastapi_endpoint_registry.py), as well as any other potential settings like servers, tags, summary, terms_of_service, etc.
Instead of calling get_openapi directly, save a reference to the original app.openapi method and call it to obtain the fully populated schema, then inject the polymorphic schemas into it.
original_openapi = app.openapi
def custom_openapi():
if app.openapi_schema:
return app.openapi_schema
schema = original_openapi()
components = schema.setdefault("components", {}).setdefault("schemas", {})| if token.lower().startswith("bearer "): | ||
| token = token[7:] |
There was a problem hiding this comment.
Slicing the token with token[7:] when stripping the "bearer " prefix can leave leading or trailing whitespace if the client sent multiple spaces (e.g., "Bearer eyJ..."). This can cause JWT decoding to fail.
Applying .strip() ensures that any extra whitespace is safely removed.
| if token.lower().startswith("bearer "): | |
| token = token[7:] | |
| if token.lower().startswith("bearer "): | |
| token = token[7:].strip() |
… bundle schemas (from #76) Re-lands the spp_api_v2 portion of PR #76, which was reverted wholesale in d38ff9d. Restores the OpenAPI polymorphic schema utilities and app hook, the OAuth2 client-credentials security scheme in the auth middleware, the polymorphic BundleEntry.resource schema, and the OpenAPI contract tests, exactly as merged in 8bf9a3a. Bumps the module version to 19.0.2.1.0 with a matching HISTORY entry.
dc9fec1 to
c534549
Compare
|
gemini-code-assist disposition: Applied: Bearer-prefix strip now also trims whitespace ( Deferred: |
Re-lands the spp_api_v2 portion of reverted PR #76 (revert: #271).
Summary
utils/openapi_polymorphic.py:polymorphic_body()helper + OpenAPI anyOf-injection hook, installed on the app via the endpoint registry.BundleEntry.resourcebecomes a polymorphic Individual/Group body; schema import-order fix.Note:
tests/test_search_service.pyname-assertion updates from #76 already landed with the revert (#271 kept them aligned with the retained spp_registry name fix), so they are not part of this diff.Verification
./spp t spp_api_v2: 640 passed, 0 failed