As you can see from the github issue, RSwag does not support multiple headers for api Key authentication.
This is my openapi/swagger yml, in following with Multiple API Key Setup in swagger docs:
components:
securitySchemes:
apiKey:
type: apiKey
in: header
name: X-API-KEY
description: Your API Key, provided by GoApron.
userId:
type: apiKey
in: header
name: X-USER-ID
description: Your GoApron user ID
security:
- apiKey: []
userId: []
As the issue notes:
in testing we've discovered rswag's spec helpers only add the first entry of type apiKey to the headers / query.
Is there some way I can actually specify both these headers in my API requests?
The problem with just adding header parameters to each endpoint is that it will add all those parameters to the docs, when that's not how auth headers are supposed to be shown.
What I would like is a way to "hack" the requests in the rswag request specs to send those headers as part of the requests even though they're not defined as parameters due to rswag limitations.
It seems like overriding build_request (used by submit_request) may be my best bet:
https://github.com/rswag/rswag/blob/master/rswag-specs/lib/rswag/specs/example_helpers.rb#L10 https://github.com/rswag/rswag/blob/master/rswag-specs/lib/rswag/specs/request_factory.rb#L14
So it turns out that everything just hinges on using symbols in Rswag correctly. Specifically, when you're defining parameters in swagger_helper, make sure you use symbols rather than strings for securitySchemes values. I was using a string instead of symbol on some fields, and even though it generated the correct swagger.yml, Rswag wasn't able to understand the refs. Just make sure you follow the format here
Everything magically works now with headers and let variables. I don't think the Github issue was really the issue I thought it was. It turns out it was just Rswag specs not handling Refs correctly when you use symbol instead of string on securitySchemes fields.