cdimascio · aleksandar-kovacic · Feb 12, 2026 · Copilot · Feb 22, 2026 · Copilot
diff --git a/src/middlewares/openapi.security.ts b/src/middlewares/openapi.security.ts
@@ -22,6 +22,7 @@ interface SecurityHandlerResult {
   success: boolean;
   status?: number;
   error?: string;
-  error?: string;
+  error?: any;
-  error?: string;
+  error?: any;
+  attempted?: boolean; // true if credentials were provided and handler was called
-  attempted?: boolean; // true if credentials were provided and handler was called
+  attempted?: boolean; // true if AuthValidator.validate() passed for this scheme and the handler was called
-  attempted?: boolean; // true if credentials were provided and handler was called
+  attempted?: boolean; // true if AuthValidator.validate() passed for this scheme and the handler was called
 }
 
 function extractErrorsFromResults(results: (SecurityHandlerResult | SecurityHandlerResult[])[]) {
@@ -87,7 +88,10 @@ export function security(
         next();
       } else {
         const errors = extractErrorsFromResults(results);
-        throw errors[0];
+        // Prioritize errors where authentication was actually attempted
+        const attemptedErrors = errors.filter(e => e.attempted);
+        const errorToThrow = attemptedErrors.length > 0 ? attemptedErrors[0] : errors[0];
-        // Prioritize errors where authentication was actually attempted
-        const attemptedErrors = errors.filter(e => e.attempted);
-        const errorToThrow = attemptedErrors.length > 0 ? attemptedErrors[0] : errors[0];
+        // Prefer server/configuration errors (5xx) so misconfigurations surface
+        const serverErrors = errors.filter(
+          (e) => typeof e.status === 'number' && e.status >= 500 && e.status < 600,
+        );
+        let errorToThrow;
+        if (serverErrors.length > 0) {
+          errorToThrow = serverErrors[0];
+        } else {
+          // Otherwise, prioritize errors where authentication was actually attempted
+          const attemptedErrors = errors.filter((e) => e.attempted);
+          errorToThrow = attemptedErrors.length > 0 ? attemptedErrors[0] : errors[0];
+        }
-        // Prioritize errors where authentication was actually attempted
-        const attemptedErrors = errors.filter(e => e.attempted);
-        const errorToThrow = attemptedErrors.length > 0 ? attemptedErrors[0] : errors[0];
+        // Prefer server/configuration errors (5xx) so misconfigurations surface
+        const serverErrors = errors.filter(
+          (e) => typeof e.status === 'number' && e.status >= 500 && e.status < 600,
+        );
+        let errorToThrow;
+        if (serverErrors.length > 0) {
+          errorToThrow = serverErrors[0];
+        } else {
+          // Otherwise, prioritize errors where authentication was actually attempted
+          const attemptedErrors = errors.filter((e) => e.attempted);
+          errorToThrow = attemptedErrors.length > 0 ? attemptedErrors[0] : errors[0];
+        }
+        throw errorToThrow;
       }
     } catch (e) {
       const message = e?.error?.message || 'unauthorized';
@@ -138,7 +142,7 @@ class SecuritySchemes {
       }
       return Promise.all(
         Object.keys(s).map(async (securityKey) => {
-
+          let validatorPassed = false;
           try {
             const scheme = this.securitySchemes[securityKey];
             const handler = this.securityHandlers?.[securityKey] ?? fallbackHandler;
@@ -157,6 +161,8 @@ class SecuritySchemes {
               throw new InternalServerError({ message });
             }
             new AuthValidator(req, scheme, scopes).validate();
+            // If we reach here, validation passed and credentials were provided
-            // If we reach here, validation passed and credentials were provided
+            // If we reach here, AuthValidator did not report validation errors for this scheme
-            // If we reach here, validation passed and credentials were provided
+            // If we reach here, AuthValidator did not report validation errors for this scheme
+            validatorPassed = true;
             // expected handler results are:
             // - throw exception,
             // - return true,
@@ -167,7 +173,7 @@ class SecuritySchemes {
             const securityScheme = <OpenAPIV3.SecuritySchemeObject>scheme;
             const success = await handler(req, scopes, securityScheme);
             if (success === true) {
-              return { success };
+              return { success, attempted: true };
             } else {
               throw Error();
             }
@@ -176,6 +182,7 @@ class SecuritySchemes {
               success: false,
               status: e.status ?? 401,
               error: e,
+              attempted: validatorPassed,
             };
           }
         }),

diff --git a/test/resources/security.yaml b/test/resources/security.yaml
@@ -19,6 +19,17 @@ paths:
           description: OK
         "401":
           description: unauthorized
+
+  /bearer_or_apikey:
+    get:
+      security:
+        - BearerAuth: []
+        - ApiKeyAuth: []
+      responses:
+        "200":
+          description: OK
+        "401":
+          description: unauthorized
 
   /no_security:
     get:

diff --git a/test/security.handlers.spec.ts b/test/security.handlers.spec.ts
@@ -64,6 +64,7 @@ describe('security.handlers', () => {
         .get(`/cookie_auth`, (req, res) => {res.json({ logged_in: true })})
         .get(`/oauth2`, (req, res) => {res.json({ logged_in: true })})
         .get(`/openid`, (req, res) => {res.json({ logged_in: true })})
+        .get(`/bearer_or_apikey`, (req, res) => {res.json({ logged_in: true })})
         .get(`/api_key_or_anonymous`, (req, res) =>{
           res.json({ logged_in: true })
   })
@@ -412,6 +413,30 @@ describe('security.handlers', () => {
     return request(app).get(`${basePath}/api_key_or_anonymous`).expect(200);
   });
 
+  it('should return error from attempted security scheme, not first defined scheme', async () => {
+    // This test verifies the fix for the issue where when multiple security schemes
+    // are defined (e.g., BearerAuth OR ApiKeyAuth) and only one is attempted (ApiKeyAuth),
+    // the error from the attempted scheme should be returned, not the error from the
+    // first defined scheme (BearerAuth).
+    const validateSecurity = eovConf.validateSecurity as ValidateSecurityOpts;
+    (validateSecurity.handlers! as any).BearerAuth = (req, scopes, schema) => true;
+    (validateSecurity.handlers! as any).ApiKeyAuth = (req, scopes, schema) => {
+      throw new Error('Invalid API key provided');
+    };
+
+    return request(app)
+      .get(`${basePath}/bearer_or_apikey`)
+      .set('X-API-Key', 'wrong-key') // Provide API key but not Bearer token
+      .expect(401)
+      .then((r) => {
+        const body = r.body;
+        expect(body.errors).to.be.an('array');
+        expect(body.errors).to.have.length(1);
+        // Should return the API key error, not the Bearer token error
+        expect(body.errors[0].message).to.equals('Invalid API key provided');
+      });
+  });
+
   it('should return 200 if api_key or anonymous and api key is supplied', async () => {
     const validateSecurity = eovConf.validateSecurity as ValidateSecurityOpts;
     (validateSecurity.handlers! as any).ApiKeyAuth = (req, scopes, schema) => true;