Lists of Security Requirement Objects on an operation are not supported

[beryxz]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the bug has not already been reported

Fastify version

4.28.1

Plugin version

8.15.0

Node.js version

22.6

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

24.04

Description

It seems that the security property definition inside FastifySchema doesn't cover the use case of multiple different security objects on a route schema (spec. ref):

interface FastifySchema {
    ...
    security?: ReadonlyArray<{ [securityLabel: string]: readonly string[] }>;
}

The relevant part would be:

When a list of Security Requirement Objects is defined on the OpenAPI Object or Operation Object, only one of the Security Requirement Objects in the list needs to be satisfied to authorize the request.

It should then be possible to use both the following:

{
  // api_key AND bearer_token
  security: [{ api_key: [], bearer_token: [] }]
}

{
  // api_key OR bearer_token
  security: [{ api_key: [] }, { bearer_token: [] }]
}

but the "OR" solution doesn't work and throws the error:

Types of property 'security' are incompatible.
    Type '({ bearer_token: never[]; api_key?: undefined; } | { api_key: never[]; bearer_token?: undefined; })[]' is not assignable to type 'readonly { [securityLabel: string]: readonly string[]; }[]'.
      Type '{ bearer_token: never[]; api_key?: undefined; } | { api_key: never[]; bearer_token?: undefined; }' is not assignable to type '{ [securityLabel: string]: readonly string[]; }'.
        Type '{ bearer_token: never[]; api_key?: undefined; }' is not assignable to type '{ [securityLabel: string]: readonly string[]; }'.
          Property 'api_key' is incompatible with index signature.
            Type 'undefined' is not assignable to type 'readonly string[]'.

Link to code that reproduces the bug

No response

Expected Behavior

It should be possible to use both solutions in the security property.

[mcollina]

Thanks for reporting! Would you like to send a Pull Request to address this issue? Remember to add unit tests. We use tsd for type tests.

[beryxz]

Sure, here it is; I hope everything is in order.

The new tests explicitly use undefined as errors weren't raised without it. The initial stack trace was probably a consequence of using Fastify with the TypeBoxTypeProvider.

[climba03003]

As per my comment here.
#817 (comment)

It is working intended because of how TypeScript reflect the array types.
You can either place all together which allows proper infer or use as const to provides actual types.