I noticed that the validation of the security schemes is only the last action when validating a request (see: https://github.com/getkin/kin-openapi/blob/master/openapi3filter/validate_request.go#L84). While I haven't yet found a ground truth for this online, I was wondering if it wouldn't make more sense to check security schemes before the others, as one might not want to expose information about what the request should look like to unauthorized users, if one were to return the request validation errors in the response. If anyone has any sources documenting the intended behaviour, I would love to know!
I noticed that the validation of the security schemes is only the last action when validating a request (see: https://github.com/getkin/kin-openapi/blob/master/openapi3filter/validate_request.go#L84). While I haven't yet found a ground truth for this online, I was wondering if it wouldn't make more sense to check security schemes before the others, as one might not want to expose information about what the request should look like to unauthorized users, if one were to return the request validation errors in the response. If anyone has any sources documenting the intended behaviour, I would love to know!