chore(api): override default casing for bearer auth scheme

[tothandras]

Summary by CodeRabbit

• Bug Fixes

  • Standardized HTTP bearer auth scheme to lowercase across API specifications, improving compatibility with tools and client generators (PortalTokenAuth, CloudTokenAuth, CloudPortalTokenAuth).

• Chores

  • Regenerated embedded API specifications in server and Go client to reflect the updated auth scheme.
  • No changes to endpoints or request/response structures; existing integrations should continue to work without modifications.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates normalize HTTP bearer auth scheme to lowercase across OpenAPI and TSP specs, introduce a LowercaseBearerAuth model and re-alias usages, and regenerate embedded Swagger specs in generated Go files to reflect these spec changes. No control flow or exported Go APIs changed.

Changes

Cohort / File(s)	Summary
OpenAPI security scheme updates (YAML) api/openapi.cloud.yaml, api/openapi.yaml	Changed securitySchemes http scheme from "Bearer" to "bearer" for CloudTokenAuth, CloudPortalTokenAuth, and PortalTokenAuth.
Auth models (TSP spec) api/spec/src/auth.tsp, api/spec/src/cloud/auth.tsp	Added public model LowercaseBearerAuth (http bearer); PortalTokenAuth now aliases LowercaseBearerAuth; CloudTokenAuth and CloudPortalTokenAuth updated to use LowercaseBearerAuth.
Generated Swagger embeddings (Go) api/api.gen.go, api/client/go/client.gen.go	Replaced embedded swaggerSpec string slices with regenerated content; no logic or signatures changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• docs(api): remove request access text #3363 — Also replaces embedded swaggerSpec in api/api.gen.go and api/client/go/client.gen.go.
• fix: api grouping #2760 — Updates OpenAPI files and regenerates embedded Swagger payloads in Go artifacts.
• chore(api): remove x-internal from addon endpoints #2850 — Similar regeneration of embedded Swagger/OpenAPI blobs in Go client and server files.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly and accurately describes the primary change—overriding the default casing for the bearer auth scheme—matching the OpenAPI and spec edits that change "Bearer" to "bearer" and introduce LowercaseBearerAuth, so it is specific, concise, and relevant.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/api-bearer-patch

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

api/spec/src/auth.tsp (1)

9-28: Lowercase scheme implemented correctly; add a brief note to avoid confusion.

No 'scheme: Bearer' occurrences found; only the doc header in api/spec/src/auth.tsp shows "Authorization: Bearer " — add this one‑liner.

   * ```
   * Authorization: Bearer <token>
   * ```
+  * Note: In OpenAPI the security scheme value must be "bearer" (lowercase), while the HTTP Authorization header scheme token is case-insensitive and commonly shown as "Bearer".

api/api.gen.go (1)

20590-20610: Add a tiny CI guard to prevent 'scheme: Bearer' regressions.

Verified: no uppercase scheme: Bearer under api/; current specs use lowercase scheme: bearer (api/openapi.yaml, api/openapi.cloud.yaml). Add this lint step to CI:

#!/bin/bash
set -euo pipefail
if rg -nP '\bscheme:\s*Bearer\b' api/; then
  echo 'OpenAPI must use lowercase `scheme: bearer`.' >&2
  exit 1
fi

api/openapi.cloud.yaml (1)

23955-23955: Consistent lowercase "bearer" for CloudPortalTokenAuth; LGTM.

Matches the above change; keeps specs consistent across auth schemes.

If applicable, mirror format hint:

# under CloudPortalTokenAuth
bearerFormat: JWT

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff4976b and 26725d2.

📒 Files selected for processing (6)

• api/api.gen.go (1 hunks)
• api/client/go/client.gen.go (1 hunks)
• api/openapi.cloud.yaml (2 hunks)
• api/openapi.yaml (1 hunks)
• api/spec/src/auth.tsp (1 hunks)
• api/spec/src/cloud/auth.tsp (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: Artifacts / Container image
• GitHub Check: Lint
• GitHub Check: Migration Checks
• GitHub Check: Test
• GitHub Check: Code Generators
• GitHub Check: Build
• GitHub Check: Analyze (go)

🔇 Additional comments (7)

api/spec/src/auth.tsp (1)

7-7: Alias preserves public API surface — verified. Search found only expected occurrences: api/spec/src/auth.tsp (friendlyName "BearerAuth") and api/spec/patches/@typespec__http.patch (export list); generated code/runtime reference PortalTokenAuth/PortalTokenAuthScopes (api/api.gen.go, api/openapi.yaml, openmeter/portal/authenticator/authenticator.go). No lingering internal model named "BearerAuth" requiring changes.

api/openapi.yaml (1)

24983-24989: LGTM — scheme is correctly lowercase bearer; consider bearerFormat

Spec-correct: scheme: bearer conforms to OAS 3.x.
Optional (if tokens are JWT): add bearerFormat: JWT.
Repo-wide scan couldn't be completed in sandbox (ripgrep: "No files were searched"); verify locally that there are no other scheme: Bearer occurrences.

api/api.gen.go (1)

20549-20920: LGTM: regenerated Swagger blob only; normalization verified.

No functional Go changes. Verified no uppercase "Bearer" in specs; normalized "scheme: bearer" found at api/openapi.cloud.yaml:23946, api/openapi.cloud.yaml:23955, and api/openapi.yaml:24986. "LowercaseBearerAuth" not present outside TypeSpec sources.

api/openapi.cloud.yaml (1)

23946-23946: Lowercase "bearer" is correct per OpenAPI — verified.

No occurrences of scheme: Bearer or "scheme": "Bearer" were found; OpenAPI/spec files use scheme: bearer (api/openapi.cloud.yaml — lines ~23946 & 23955; api/openapi.yaml — line ~24986; api/spec/src/auth.tsp).
Optional: add bearerFormat: JWT under CloudTokenAuth/CloudPortalTokenAuth if these tokens are JWTs.

api/client/go/client.gen.go (1)

43586-43959: Data-only swagger blob update — verify 'scheme: bearer' decoded correctly.

Generated refresh looks fine; sandbox verification failed with "/dev/fd/63". Run the local verifier below and confirm no securitySchemes of type "http" use non-lowercase schemes (e.g. "Bearer"). File: api/client/go/client.gen.go (lines ~43586-43959).

# Run from repo root (requires python3)
python3 - <<'PY'
import re, sys, base64, gzip, json
try:
    import yaml
except Exception:
    yaml = None

def extract(path):
    s = open(path, encoding='utf-8', errors='ignore').read()
    m = re.search(r'var\s+swaggerSpec\s*=\s*\[\]string\s*{\s*(.*?)\s*}\s*', s, re.S)
    if not m: return None
    segs = re.findall(r'"((?:[^"\\]|\\.)*)"', m.group(1))
    if not segs: return None
    blob = ''.join(segs)
    raw = base64.b64decode(blob)
    for fn in (gzip.decompress,):
        try:
            return fn(raw)
        except Exception:
            pass
    try:
        import zlib
        return zlib.decompress(raw)
    except Exception:
        return raw

def load_doc(b):
    text = b.decode('utf-8', errors='replace')
    try:
        return json.loads(text)
    except Exception:
        if yaml:
            return yaml.safe_load(text)
        raise

paths = sys.argv[1:] or ['api/client/go/client.gen.go']
rc = 0
for p in paths:
    doc = extract(p)
    if doc is None:
        print(f"[skip] {p}: cannot extract swaggerSpec")
        rc = 1
        continue
    try:
        spec = load_doc(doc)
    except Exception as e:
        print(f"[fail] {p}: could not parse spec: {e}")
        rc = 1
        continue
    comps = (spec or {}).get('components', {}).get('securitySchemes', {}) or {}
    bad = []
    ok = []
    for name, val in comps.items():
        if isinstance(val, dict) and val.get('type') == 'http':
            sch = val.get('scheme')
            if sch == 'bearer':
                ok.append(name)
            else:
                bad.append((name, sch))
    print(f"==> {p}")
    print("HTTP schemes lowercased:", sorted(ok))
    if bad:
        print("Non-lowercase http schemes found:", bad)
        rc = 1
sys.exit(rc)
PY

api/spec/src/cloud/auth.tsp (2)

7-7: Lowercase bearer for CloudTokenAuth — LGTM (verified)

LowercaseBearerAuth is defined; no remaining is BearerAuth occurrences; OpenAPI has scheme: bearer and CloudTokenAuth resolves to http/bearer in api/openapi.cloud.yaml.

---

19-19: Lowercase bearer for CloudPortalTokenAuth — OpenAPI updated; runtime not verified

OpenAPI: confirmed — api/openapi.cloud.yaml shows CloudPortalTokenAuth with type: http and scheme: bearer (around lines 23953–23955).

Runtime: verification incomplete — repo search returned "No files were searched" and a regex quoting error when re-running checks; cannot confirm middleware/token parser accepts "Authorization: Bearer ..." case-insensitively. Run this locally to verify runtime handling:

#!/bin/bash
set -euo pipefail

echo "1) Confirm OpenAPI (CloudPortalTokenAuth):"
rg -n -C2 'CloudPortalTokenAuth' api/openapi*.yaml || true
rg -n -C2 'scheme: bearer' api/openapi*.yaml || true

echo
echo "2) Search for Authorization/Bearer usage (case-insensitive):"
rg -n -i -C3 'authorization|bearer' --hidden -uu --glob '!node_modules/**' || true

echo
echo "3) Search for code that lowercases or prefix-checks bearer (JS/TS/Go/Python):"
rg -n -i -C3 'toLowerCase\(|strings\.ToLower\(|tolower\(|startsWith\(|HasPrefix\(' --hidden -uu --glob '!node_modules/**' || true