fix: OpenAPI import fails when securitySchemes are not defined

[sanjaikumar-bruno]

BRU-2347

OpenAPI import fails with "e.global.security.getScheme is not a function" when importing specs that don't define securitySchemes.

Cause

The recent PR #6288 fixed a bug in the getSecurity function:

Before: Object.keys(securitySchemes) === 0 (always false since arrays ≠ numbers)
After: Object.keys(securitySchemes).length === 0 (correctly checks for empty)

However, when no securitySchemes are defined, the function returns { supported: [] } without a getScheme method, causing the error when other code tries to call getScheme().

Fix

Ensure getScheme method always exists, returning null when no security schemes are defined:

• When securitySchemes is empty: getScheme: () => null
• When securitySchemes exists: getScheme: (name) => securitySchemes[name] || null

Summary by CodeRabbit

• Improvements
  • Enhanced OpenAPI import to better handle security schemes, including bearer tokens, basic auth, API keys, and OAuth2 configurations.
  • Improved robustness when importing OpenAPI specifications with or without defined security schemes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Reworks getSecurity(apiSpec) in the OpenAPI→Bruno converter: removes an early-return, computes whether schemes exist, builds supported schemes by mapping default schemes to securitySchemes via the first key, filters falsy entries, and simplifies getScheme to a single-line direct lookup (securitySchemes[schemeName]). Adds two OpenAPI fixtures and a Playwright import test suite.

Changes

Cohort / File(s)	Summary
Converter change packages/bruno-converters/src/openapi/openapi-to-bruno.js	Removed early-return for empty schemes; compute hasSchemes; construct supported as hasSchemes ? defaultSchemes.map(s => securitySchemes[Object.keys(s)[0]]).filter(Boolean) : []; simplified getScheme(schemeName) to securitySchemes[schemeName].
Fixtures tests/import/openapi/fixtures/openapi-with-security-schemes.json, tests/import/openapi/fixtures/openapi-without-security-schemes.json	Added two OpenAPI 3.0 fixtures: one with multiple security schemes (bearer, basic, apiKey, oauth2) and varied endpoints; one with no securitySchemes and standard CRUD endpoints.
Test suite tests/import/openapi/security-schemes-import.spec.ts	Added Playwright tests that import both fixtures and assert import behavior for specs with and without security schemes (uses importCollection utility and temp dirs).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Focus areas:
  • Verify mapping logic: Object.keys(scheme)[0] correctly resolves scheme names for all default scheme shapes.
  • Ensure .filter(Boolean) doesn't inadvertently drop valid falsy-but-meaningful entries.
  • Confirm getScheme(schemeName) behavior matches callers' expectations when scheme is absent (returns undefined).
  • Validate both OpenAPI fixture files are valid OpenAPI 3.0 documents and tests reference correct paths.

Possibly related issues

• Bug: OpenAPI securitySchemes not imported when converting spec to collection #5264 — Addresses the same OpenAPI→Bruno security conversion code paths where securitySchemes could be ignored; this change appears to target that problem.

Possibly related PRs

• fix: openapi body import #6288 — Modifies getSecurity() in the same converter file; likely overlaps in logic and should be reviewed together.

Suggested labels

size/L

Suggested reviewers

• helloanoop
• lohit-bruno
• bijin-bruno

Poem

🔐 A small tweak in the security flow,
keys checked first so schemes can show,
fixtures for both — empty and full,
tests import steady, fast, and cool,
conversions now more likely to glow.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main issue being fixed: OpenAPI import failures when securitySchemes are undefined.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

tests/import/openapi/security-schemes-import.spec.ts (2)

10-16: LGTM! Proper test structure.

The test correctly validates the import of OpenAPI specs with security schemes, using appropriate fixtures and cleanup.

Consider wrapping the import logic in test.step for improved test reporting:

 test('Import OpenAPI spec with security schemes', async ({ page, createTmpDir }) => {
-  const openApiFile = path.resolve(__dirname, 'fixtures', 'openapi-with-security-schemes.json');
-
-  await importCollection(page, openApiFile, await createTmpDir('openapi-with-security'), {
-    expectedCollectionName: 'API with Security Schemes'
-  });
+  await test.step('Import OpenAPI spec with security schemes', async () => {
+    const openApiFile = path.resolve(__dirname, 'fixtures', 'openapi-with-security-schemes.json');
+
+    await importCollection(page, openApiFile, await createTmpDir('openapi-with-security'), {
+      expectedCollectionName: 'API with Security Schemes'
+    });
+  });
 });

---

18-24: LGTM! Proper test structure.

The test correctly validates the import of OpenAPI specs without security schemes, covering the key scenario this PR fixes.

Consider wrapping the import logic in test.step for improved test reporting:

 test('Import OpenAPI spec without security schemes', async ({ page, createTmpDir }) => {
-  const openApiFile = path.resolve(__dirname, 'fixtures', 'openapi-without-security-schemes.json');
-
-  await importCollection(page, openApiFile, await createTmpDir('openapi-without-security'), {
-    expectedCollectionName: 'API without Security Schemes'
-  });
+  await test.step('Import OpenAPI spec without security schemes', async () => {
+    const openApiFile = path.resolve(__dirname, 'fixtures', 'openapi-without-security-schemes.json');
+
+    await importCollection(page, openApiFile, await createTmpDir('openapi-without-security'), {
+      expectedCollectionName: 'API without Security Schemes'
+    });
+  });
 });

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 639c8e5 and c4de342.

📒 Files selected for processing (4)

• packages/bruno-converters/src/openapi/openapi-to-bruno.js (2 hunks)
• tests/import/openapi/fixtures/openapi-with-security-schemes.json (1 hunks)
• tests/import/openapi/fixtures/openapi-without-security-schemes.json (1 hunks)
• tests/import/openapi/security-schemes-import.spec.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (CODING_STANDARDS.md)

**/*.{js,jsx,ts,tsx}: Use 2 spaces for indentation. No tabs, just spaces
Stick to single quotes for strings. For JSX/TSX attributes, use double quotes (e.g., )
Always add semicolons at the end of statements
No trailing commas
Always use parentheses around parameters in arrow functions, even for single params
For multiline constructs, put opening braces on the same line, and ensure consistency. Minimum 2 elements for multiline
No newlines inside function parentheses
Space before and after the arrow in arrow functions. () => {} is good
No space between function name and parentheses. func() not func ()
Semicolons go at the end of the line, not on a new line
Names for functions need to be concise and descriptive
Add in JSDoc comments to add more details to the abstractions if needed
Add in meaningful comments instead of obvious ones where complex code flow is explained properly

Files:

• packages/bruno-converters/src/openapi/openapi-to-bruno.js
• tests/import/openapi/security-schemes-import.spec.ts

tests/**/**.*

⚙️ CodeRabbit configuration file

tests/**/**.*: Review the following e2e test code written using the Playwright test library. Ensure that:

• Follow best practices for Playwright code and e2e automation

• Try to reduce usage of page.waitForTimeout(); in code unless absolutely necessary and the locator cannot be found using existing expect() playwright calls

• Avoid using page.pause() in code

• Use locator variables for locators

• Avoid using test.only

• Use multiple assertions

• Promote the use of test.step as much as possible so the generated reports are easier to read

• Ensure that the fixtures like the collections are nested inside the fixtures folder

  Fixture Example*: Here's an example of possible fixture and test pair

  .
  ├── fixtures
  │   └── collection
  │       ├── base.bru
  │       ├── bruno.json
  │       ├── collection.bru
  │       ├── ws-test-request-with-headers.bru
  │       ├── ws-test-request-with-subproto.bru
  │       └── ws-test-request.bru
  ├── connection.spec.ts # <- Depends on the collection in ./fixtures/collection
  ├── headers.spec.ts
  ├── persistence.spec.ts
  ├── variable-interpolation
  │   ├── fixtures
  │   │   └── collection
  │   │       ├── environments
  │   │       ├── bruno.json
  │   │       └── ws-interpolation-test.bru
  │   ├── init-user-data
  │   └── variable-interpolation.spec.ts # <- Depends on the collection in ./variable-interpolation/fixtures/collection
  └── subproto.spec.ts
  

Files:

• tests/import/openapi/fixtures/openapi-without-security-schemes.json
• tests/import/openapi/security-schemes-import.spec.ts
• tests/import/openapi/fixtures/openapi-with-security-schemes.json

🧠 Learnings (3)

📚 Learning: 2025-12-02T07:24:50.311Z

Learnt from: bijin-bruno
Repo: usebruno/bruno PR: 6263
File: packages/bruno-requests/src/auth/oauth2-helper.ts:249-249
Timestamp: 2025-12-02T07:24:50.311Z
Learning: In OAuth2 Basic Auth headers for Bruno, clientSecret is optional and can be omitted. When constructing the Authorization header in `packages/bruno-requests/src/auth/oauth2-helper.ts`, use `clientSecret || ''` instead of `clientSecret!` to properly handle cases where only clientId is provided, per community requests.

Applied to files:

• packages/bruno-converters/src/openapi/openapi-to-bruno.js

📚 Learning: 2025-12-05T20:31:33.005Z

Learnt from: CR
Repo: usebruno/bruno PR: 0
File: CODING_STANDARDS.md:0-0
Timestamp: 2025-12-05T20:31:33.005Z
Learning: Applies to **/*.test.{js,jsx,ts,tsx} : Add tests for any new functionality or meaningful changes. If code is added, removed, or significantly modified, corresponding tests should be updated or created

Applied to files:

• tests/import/openapi/security-schemes-import.spec.ts

📚 Learning: 2025-12-16T07:16:08.934Z

Learnt from: sanish-bruno
Repo: usebruno/bruno PR: 6090
File: tests/scripting/hooks/init-user-data/ui-state-snapshot.json:1-8
Timestamp: 2025-12-16T07:16:08.934Z
Learning: For e2e tests in the bruno repository: Collections that are shared between CLI and UI tests (comprehensive test suites testing core functionality) should be placed in `packages/bruno-tests/` to avoid duplication. The `tests/**/fixtures/collection` pattern should be used for test-specific collections that test particular UI behaviors or are specific to a single test file.

Applied to files:

• tests/import/openapi/security-schemes-import.spec.ts

🧬 Code graph analysis (1)

tests/import/openapi/security-schemes-import.spec.ts (2)

tests/utils/page/actions.ts (1)

• closeAllCollections (715-715)

packages/bruno-converters/src/openapi/openapi-to-bruno.js (1)

• path (309-309)

🪛 Checkov (3.2.334)

tests/import/openapi/fixtures/openapi-without-security-schemes.json

[high] 1-291: Ensure that the global security field has rules defined

(CKV_OPENAPI_4)

---

[high] 1-291: Ensure that security operations is not empty.

(CKV_OPENAPI_5)

---

[medium] 57-62: Ensure that arrays have a maximum number of items

(CKV_OPENAPI_21)

tests/import/openapi/fixtures/openapi-with-security-schemes.json

[high] 1-208: Ensure that security operations is not empty.

(CKV_OPENAPI_5)

---

[medium] 69-85: Ensure that arrays have a maximum number of items

(CKV_OPENAPI_21)

---

[high] 26-29: Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files

(CKV_OPENAPI_3)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: SSL Tests - macOS
• GitHub Check: Playwright E2E Tests
• GitHub Check: CLI Tests
• GitHub Check: Unit Tests
• GitHub Check: SSL Tests - Linux
• GitHub Check: SSL Tests - Windows

🔇 Additional comments (4)

packages/bruno-converters/src/openapi/openapi-to-bruno.js (2)

932-934: LGTM! Properly handles missing security schemes.

The addition of getScheme: () => null when security schemes are absent ensures the method is always defined, preventing the "getScheme is not a function" error.

---

944-944: LGTM! Safe fallback for missing schemes.

The || null fallback ensures a consistent return type when a scheme name doesn't exist in securitySchemes. Calling code at line 381 safely checks for null before using the result.

tests/import/openapi/fixtures/openapi-with-security-schemes.json (1)

1-208: LGTM! Well-structured test fixture.

This fixture appropriately covers multiple security scheme types (bearer, basic, API key, OAuth2) and different operation-level security requirements, providing comprehensive test coverage for the security schemes import functionality.

tests/import/openapi/fixtures/openapi-without-security-schemes.json (1)

1-291: LGTM! Appropriate test fixture for the no-security-schemes scenario.

This fixture correctly represents an OpenAPI spec without any security schemes defined, which is the exact scenario the PR fixes. The comprehensive endpoint coverage ensures the converter handles all operation types when security schemes are absent.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/bruno-converters/src/openapi/openapi-to-bruno.js (1)

926-941: Minor: getScheme returns undefined instead of null as specified in PR description.

The PR objective states:

• getScheme: () => null when schemes empty
• getScheme: (name) => securitySchemes[name] || null when schemes exist

Current implementation returns undefined for missing schemes. While functionally equivalent (both falsy), returning null is more explicit and matches the stated behavior.

-    getScheme: (schemeName) => securitySchemes[schemeName]
+    getScheme: (schemeName) => securitySchemes[schemeName] || null

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c4de342 and bc52783.

📒 Files selected for processing (1)

• packages/bruno-converters/src/openapi/openapi-to-bruno.js (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (CODING_STANDARDS.md)

**/*.{js,jsx,ts,tsx}: Use 2 spaces for indentation. No tabs, just spaces
Stick to single quotes for strings. For JSX/TSX attributes, use double quotes (e.g., )
Always add semicolons at the end of statements
No trailing commas
Always use parentheses around parameters in arrow functions, even for single params
For multiline constructs, put opening braces on the same line, and ensure consistency. Minimum 2 elements for multiline
No newlines inside function parentheses
Space before and after the arrow in arrow functions. () => {} is good
No space between function name and parentheses. func() not func ()
Semicolons go at the end of the line, not on a new line
Names for functions need to be concise and descriptive
Add in JSDoc comments to add more details to the abstractions if needed
Add in meaningful comments instead of obvious ones where complex code flow is explained properly

Files:

• packages/bruno-converters/src/openapi/openapi-to-bruno.js

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: SSL Tests - Linux
• GitHub Check: SSL Tests - Windows
• GitHub Check: SSL Tests - macOS
• GitHub Check: Playwright E2E Tests
• GitHub Check: Unit Tests
• GitHub Check: CLI Tests

🔇 Additional comments (1)

packages/bruno-converters/src/openapi/openapi-to-bruno.js (1)

929-937: Logic looks correct for the fix.

The refactored getSecurity function now:

1. Computes hasSchemes to check if securitySchemes is non-empty
2. Returns an empty supported array when no schemes exist
3. Always provides a getScheme method, preventing the "is not a function" error

The .filter(Boolean) correctly handles cases where a default scheme references a non-existent security scheme definition.