Skip to content

Draft: Generate API from OpenAPI spec with oapi-codegen

Placeholder James Hochadelrequested to merge
oapi-codegen into main

Changes proposed in this pull request:

Motivation: The security team would like an OpenAPI spec for the billing API so they can scan it, and it would reduce our maintenance burden to no longer manually maintain the API handlers.

To achieve both goals, this PR uses the oapi-codegen package to generate a Go HTTP server interface from an OpenAPI document. This works similarly to how sqlc generates Go bindings from SQL.

The WIP parts:

  • Cleanup. Some code remains from the previous, manually maintained approach.
  • The auth middleware is not yet applied to the new server.
  • The HTTP logging middleware is also not yet applied.

Things to check

  • For any logging statements, is there any chance that they could be logging sensitive data?
  • Are log statements using a logging library with a logging level set? Setting a logging level means that log statements "below" that level will not be written to the output. For example, if the logging level is set to INFO and debugging statements are written with log.debug or similar, then they won't be written to the otput, which can prevent unintentional leaks of sensitive data.

Security considerations

This PR changes how the security middleware which validates the JWT and checks for appropriate scopes is called.

Merge request reports