Merge branch 'main' into main

sidux · web-flow · commit f9bf0bb43fa5 · 2025-11-04T11:06:09.000+01:00
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
+        python-version: ['3.9', '3.10', '3.11', '3.12', '3.13', '3.14']
     steps:
     - uses: actions/checkout@v2
     - name: Set up Python ${{ matrix.python-version }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,10 +13,10 @@ jobs:
     steps:
     - uses: actions/checkout@master
 
-    - name: Set up Python 3.9
+    - name: Set up Python 3.12
       uses: actions/setup-python@v1
       with:
-        python-version: 3.9
+        python-version: 3.12
 
     - name: Update version
       run: sed -i "s/^version = .*/version = '${{github.ref_name}}'/" pyproject.toml
@@ -28,15 +28,15 @@ jobs:
 
     - name: Publish distribution 📦 to Test PyPI
       if: github.event_name == 'push'
-      uses: pypa/gh-action-pypi-publish@v1.5.0
+      uses: pypa/gh-action-pypi-publish@v1.13.0
       with:
         user: __token__
         password: ${{ secrets.TEST_PYPI_API_TOKEN }}
         repository_url: https://test.pypi.org/legacy/
 
     - name: Publish distribution 📦 to PyPI if triggered by release
       if: github.event_name == 'release'
-      uses: pypa/gh-action-pypi-publish@v1.5.0
+      uses: pypa/gh-action-pypi-publish@v1.13.0
       with:
         user: __token__
         password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.readthedocs.yaml b/.readthedocs.yaml
@@ -6,7 +6,7 @@ sphinx:
 build:
   os: "ubuntu-22.04"
   tools:
-    python: "3.8"
+    python: "3.12"
   jobs:
     post_create_environment:
       # Install poetry
diff --git a/README.md b/README.md
@@ -54,7 +54,6 @@ Connexion also **helps you write your OpenAPI specification** and develop agains
 ## 🫶 Sponsors
 
 <a href="https://www.ml6.eu"><img src="https://raw.githubusercontent.com/spec-first/connexion/main/docs/images/sponsors/ML6.png" title=ML6 height="100"></a>
-<a href="https://www.devmark.ai/fern/?utm_source=connexion&utm_loc=readme&utm_type=logo"><img src="https://raw.githubusercontent.com/spec-first/connexion/main/docs/images/sponsors/Fern.png" title=Fern height="100"></a>
 
 Sponsors help us dedicate time to maintain Connexion. Want to help?
 
diff --git a/connexion/middleware/swagger_ui.py b/connexion/middleware/swagger_ui.py
@@ -70,7 +70,7 @@ def _spec_for_prefix(self, request) -> dict:
         This is needed when behind a path-altering reverse proxy.
         """
         base_path = self._base_path_for_prefix(request)
-        return self.specification.with_base_path(base_path).raw
+        return self.specification.with_base_path(base_path).spec
 
     def add_openapi_json(self):
         """
diff --git a/connexion/security.py b/connexion/security.py
@@ -493,11 +493,26 @@ def parse_security_scheme(
                 security_handler = self.security_handlers["apiKey"]
                 return security_handler().get_fn(security_scheme, required_scopes)
 
-        # Custom security handler
-        elif (scheme := security_scheme["scheme"].lower()) in self.security_handlers:
+        elif security_type == "openIdConnect":
+            if security_type in self.security_handlers:
+                security_handler = self.security_handlers[security_type]
+                return security_handler().get_fn(security_scheme, required_scopes)
+            logger.warning("... No default implementation for openIdConnect")
+            return None
+
+        # Custom security scheme handler
+        elif (
+            "scheme" in security_scheme
+            and (scheme := security_scheme["scheme"].lower()) in self.security_handlers
+        ):
             security_handler = self.security_handlers[scheme]
             return security_handler().get_fn(security_scheme, required_scopes)
 
+        # Custom security type handler
+        elif security_type in self.security_handlers:
+            security_handler = self.security_handlers[security_type]
+            return security_handler().get_fn(security_scheme, required_scopes)
+
         else:
             logger.warning(
                 "... Unsupported security scheme type %s",
diff --git a/connexion/spec.py b/connexion/spec.py
@@ -81,6 +81,7 @@ def __init__(self, raw_spec, *, base_uri=""):
         self._set_defaults(raw_spec)
         self._validate_spec(raw_spec)
         self._spec = resolve_refs(raw_spec, base_uri=base_uri)
+        self._base_uri = base_uri
 
     @classmethod
     @abc.abstractmethod
@@ -107,6 +108,10 @@ def get_operation(self, path, method):
     def raw(self):
         return self._raw_spec
 
+    @property
+    def spec(self):
+        return self._spec
+
     @property
     def version(self):
         return self._get_spec_version(self._spec)
@@ -204,7 +209,7 @@ def enforce_string_keys(obj):
         return OpenAPISpecification(spec, base_uri=base_uri)
 
     def clone(self):
-        return type(self)(copy.deepcopy(self._spec))
+        return type(self)(copy.deepcopy(self._raw_spec), base_uri=self._base_uri)
 
     @classmethod
     def load(cls, spec, *, arguments=None):
diff --git a/connexion/utils.py b/connexion/utils.py
@@ -7,8 +7,8 @@
 import importlib
 import inspect
 import os
-import pkgutil
 import sys
+import typing
 import typing as t
 
 import yaml
@@ -391,13 +391,16 @@ def cast_leaves(d, schema):
             return value
 
 
+@typing.no_type_check
 def get_root_path(import_name: str) -> str:
     """Copied from Flask:
     https://github.com/pallets/flask/blob/836866dc19218832cf02f8b04911060ac92bfc0b/src/flask/helpers.py#L595
 
     Find the root path of a package, or the path that contains a
     module. If it cannot be found, returns the current working
     directory.
+
+    :meta private:
     """
     # Module already imported and has a file attribute. Use that first.
     mod = sys.modules.get(import_name)
@@ -406,16 +409,24 @@ def get_root_path(import_name: str) -> str:
         return os.path.dirname(os.path.abspath(mod.__file__))
 
     # Next attempt: check the loader.
-    loader = pkgutil.get_loader(import_name)
+    try:
+        spec = importlib.util.find_spec(import_name)
+
+        if spec is None:
+            raise ValueError
+    except (ImportError, ValueError):
+        loader = None
+    else:
+        loader = spec.loader
 
     # Loader does not exist or we're referring to an unloaded main
     # module or a main module without path (interactive sessions), go
     # with the current working directory.
-    if loader is None or import_name == "__main__":
+    if loader is None:
         return os.getcwd()
 
     if hasattr(loader, "get_filename"):
-        filepath = loader.get_filename(import_name)  # type: ignore
+        filepath = loader.get_filename(import_name)  # pyright: ignore
     else:
         # Fall back to imports.
         __import__(import_name)
@@ -436,7 +447,7 @@ def get_root_path(import_name: str) -> str:
             )
 
     # filepath is import_name.py for a module, or __init__.py for a package.
-    return os.path.dirname(os.path.abspath(filepath))
+    return os.path.dirname(os.path.abspath(filepath))  # type: ignore[no-any-return]
 
 
 def inspect_function_arguments(function: t.Callable) -> t.Tuple[t.List[str], bool]:
@@ -499,7 +510,7 @@ def __init__(self, path: str) -> None:
             self.path_regex, _, _ = compile_path(self.path)
 
         def __lt__(self, other: "SortableRoute") -> bool:
-            return bool(other.path_regex.match(self.path))
+            return bool(other.path_regex.match(self.path)) or self.path < other.path
 
     return sorted(routes, key=lambda r: SortableRoute(key(r) if key else r))
 
@@ -542,5 +553,9 @@ def build_example_from_schema(schema):
     except ImportError:
         return None
 
-    faker = JSF(schema)
-    return faker.generate()
+    try:
+        faker = JSF(schema)
+        return faker.generate()
+    except TypeError:
+
+        return None
diff --git a/examples/frameworks/spec/swagger.yaml b/examples/frameworks/spec/swagger.yaml
@@ -13,7 +13,7 @@ paths:
       description: Generates a greeting message.
       operationId: post_greeting
       produces:
-        - text/plain;
+        - text/plain
       responses:
         '200':
           description: greeting response
diff --git a/examples/helloworld/spec/swagger.yaml b/examples/helloworld/spec/swagger.yaml
@@ -13,7 +13,7 @@ paths:
       description: Generates a greeting message.
       operationId: hello.post_greeting
       produces:
-        - text/plain;
+        - text/plain
       responses:
         '200':
           description: greeting response
diff --git a/pyproject.toml b/pyproject.toml
@@ -26,11 +26,12 @@ classifiers = [
     "Programming Language :: Python",
     "Programming Language :: Python :: 3",
     "Programming Language :: Python :: 3 :: Only",
-    "Programming Language :: Python :: 3.8",
     "Programming Language :: Python :: 3.9",
     "Programming Language :: Python :: 3.10",
     "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
     "Topic :: Internet",
     "Topic :: Internet :: WWW/HTTP",
     "Topic :: Internet :: WWW/HTTP :: HTTP Servers",
@@ -44,7 +45,7 @@ classifiers = [
 connexion = 'connexion.cli:main'
 
 [tool.poetry.dependencies]
-python = '^3.8'
+python = '^3.9'
 asgiref = ">= 3.4"
 httpx = ">= 0.23"
 inflection = ">= 0.3.1"
@@ -71,7 +72,7 @@ mock = ["jsf"]
 
 [tool.poetry.group.tests.dependencies]
 pre-commit = "~2.21.0"
-pytest = "7.2.1"
+pytest = "8.4.2"
 pytest-asyncio = "~0.18.3"
 pytest-cov = "~2.12.1"
 
@@ -109,3 +110,7 @@ exclude_lines = [
 [[tool.mypy.overrides]]
 module = "referencing.jsonschema.*"
 follow_imports = "skip"
+
+[[tool.mypy.overrides]]
+module = "referencing._core.*"
+follow_imports = "skip"
diff --git a/tests/api/test_secure_api.py b/tests/api/test_secure_api.py
@@ -6,6 +6,8 @@
 from connexion.exceptions import OAuthProblem
 from connexion.security import NO_VALUE, BasicSecurityHandler, OAuthSecurityHandler
 
+from tests.conftest import OPENAPI3_SPEC
+
 
 class FakeResponse:
     def __init__(self, status_code, text):
@@ -288,3 +290,88 @@ def wrapper(request):
         headers={"Authorization": "my_basic dGVzdDp0ZXN0"},
     )
     assert res.status_code == 200
+
+
+def test_security_map_custom_type(secure_api_spec_dir):
+    def generate_token(scopes):
+        token_segments = [
+            json.dumps({"alg": "none", "typ": "JWT"}),
+            json.dumps({"sub": "1234567890", "name": "John Doe", "scopes": scopes}),
+            "",
+        ]
+        token = ".".join(
+            base64.urlsafe_b64encode(s.encode()).decode().rstrip("=")
+            for s in token_segments
+        )
+        return token
+
+    class FakeOIDCSecurityHandler(OAuthSecurityHandler):
+        """
+        Uses openIdConnect (not currently directly implemented) as auth type to test custom/unimplemented auth types.
+        Doesn't attempt to actually implement OIDC
+        """
+
+        def _get_verify_func(
+            self, token_info_func, scope_validate_func, required_scopes
+        ):
+            check_oauth_func = self.check_oauth_func(
+                token_info_func, scope_validate_func
+            )
+
+            def wrapper(request):
+                auth_type, token = self.get_auth_header_value(request)
+                if auth_type != "bearer":
+                    return NO_VALUE
+
+                return check_oauth_func(request, token, required_scopes=required_scopes)
+
+            return wrapper
+
+        def get_tokeninfo_func(self, security_definition: dict):
+            def wrapper(token):
+                segments = token.split(".")
+                body = segments[1]
+                body += "=" * (-len(body) % 4)
+                return json.loads(base64.urlsafe_b64decode(body))
+
+            return wrapper
+
+    security_map = {
+        "openIdConnect": FakeOIDCSecurityHandler,
+    }
+    # api level
+    app = App(__name__, specification_dir=secure_api_spec_dir)
+    app.add_api(OPENAPI3_SPEC, security_map=security_map)
+    app_client = app.test_client()
+    invalid_token = generate_token(["invalidscope"])
+    res = app_client.post(
+        "/v1.0/greeting_oidc",
+        headers={"Authorization": f"bearer {invalid_token}"},
+    )
+    assert res.status_code == 403
+
+    valid_token = generate_token(["mytestscope"])
+    res = app_client.post(
+        "/v1.0/greeting_oidc",
+        headers={"Authorization": f"bearer {valid_token}"},
+    )
+    assert res.status_code == 200
+
+    # app level
+    app = App(
+        __name__, specification_dir=secure_api_spec_dir, security_map=security_map
+    )
+    app.add_api(OPENAPI3_SPEC)
+    app_client = app.test_client()
+
+    res = app_client.post(
+        "/v1.0/greeting_oidc",
+        headers={"Authorization": f"bearer {invalid_token}"},
+    )
+    assert res.status_code == 403
+
+    res = app_client.post(
+        "/v1.0/greeting_oidc",
+        headers={"Authorization": f"bearer {valid_token}"},
+    )
+    assert res.status_code == 200
diff --git a/tests/fakeapi/hello/__init__.py b/tests/fakeapi/hello/__init__.py
@@ -48,6 +48,11 @@ def post_greeting_basic():
     return data
 
 
+def post_greeting_oidc():
+    data = {"greeting": "Hello oidc"}
+    return data
+
+
 def post_greeting3(body, **kwargs):
     data = {"greeting": "Hello {name}".format(name=body["name"])}
     return data
diff --git a/tests/fixtures/secure_api/openapi.yaml b/tests/fixtures/secure_api/openapi.yaml
diff --git a/tests/test_api.py b/tests/test_api.py
diff --git a/tests/test_mock.py b/tests/test_mock.py
diff --git a/tests/test_mock2.py b/tests/test_mock2.py
diff --git a/tox.ini b/tox.ini
