Error handling response multiple security strategies #1118
Description
Describe the bug
A service defines two security schemes: one bearer-based scheme and one apiKey-based scheme. Both have individual security handlers with their own internal validation logic. When a request uses the ApiKeyAuth scheme and its handler throws an error, the framework incorrectly returns the error from the bearer scheme (“missing token”), even though this scheme is not used for the request.
To Reproduce
A request is sent using the ApiKeyAuth header.
If the ApiKeyAuth handler fails, the middleware still reports the KeyCloakAuth error (“missing token”), instead of returning the actual error from the handler that was triggered.
Actual behavior
The middleware always returns the missing-bearer-token error, regardless of which security scheme matches the request.
Expected behavior
The request should first be matched against the security scheme actually used. Only the handler for that scheme should execute. If this handler fails, its own error must be returned without falling back to other schemes.
Examples and context
The issue originates in the incorrect error-accumulation logic here:
https://github.com/cdimascio/express-openapi-validator/blob/master/src/middlewares/openapi.security.ts#L90
securitySchemes: KeyCloakAuth: type: http scheme: bearer bearerFormat: JWT ApiKeyAuth: type: apiKey in: header name: sessionid