security

Overview ¶

Package security is the sub-parser for the `Security:` block body that appears under `swagger:meta`, `swagger:route` and `swagger:operation`.

The body is parsed as genuine YAML — the same path `securityDefinitions` already takes — and normalised into the OpenAPI 2.0 shape `[]map[string][]string`: an array of Security Requirement Objects.

Supported forms (all idiomatic YAML):

# array of requirement objects — scopes flow- or block-style
- petstore_auth: [write:pets, read:pets]
- api_key: []

# multiple keys in one item → AND (all required); items → OR
- petstore_auth: [read:pets]
  api_key: []

# bare-name shorthand → empty scopes (a go-swagger convenience)
- petstore_auth
- api_key

security: [petstore_auth, api_key]   # flow form of the shorthand
security: []                          # explicit opt-out (see below)

An explicit empty sequence (`[]`) is distinct from an absent block: it is the OAS 2.0 idiom for opting OUT of security and returns a non-nil empty list, so the spec marshals `"security": []` (overriding any global requirement) rather than omitting the key. go-swagger#2479.

Legacy form (preserved, NOT idiomatic YAML): a bare top-level mapping with one scheme per line is read as a list of single-scheme requirements (OR), and a scalar scope value is comma-split:

api_key:
oauth: read, write   # → {oauth: [read, write]}

Note this is the one shape whose meaning diverges from YAML — a YAML mapping is a single object (AND). It is kept working for back-compat; new specs should use the sequence form above.