feat: openapi.yaml に securitySchemes と security を追加

[reiroop]

Close #11

Summary by CodeRabbit

• Chores
  • API仕様およびサーバーコード生成を更新し、エンドポイント構造、認証メカニズム、リクエスト/レスポンススキーマを統一化しました。セッション管理が強化されています。

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 20edb65f-93e9-4d05-8c0a-571bd574dad1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

OpenAPI 仕様に認証スキーム（EmailVerifiedSession、NewShowcaseAuth、CsrfTokenHeader）を導入し、メール検証・顧客・請求書・決済セッション API の統一リファクタリングを実施。エンドポイントパス（/customer → /customers 等）やリクエスト/レスポンススキーマを整理し、サーバコード生成型・ハンドラインタフェース・ラッピング実装を対応更新。

Changes

API セキュリティと仕様統一

Layer / File(s)	Summary
認証スキーム基盤定義 openapi.yaml	securitySchemes に EmailVerifiedSession、NewShowcaseAuth、CsrfTokenHeader を新規定義。/csrf と /webhook/invoice-paid に security: [] を付与して無認証アクセスを明示。
メール検証エンドポイントのリファクタリング openapi.yaml、server/gen.go	/verify-email 系エンドポイントのリクエスト/レスポンススキーマを VerifyEmail* から PostVerifyEmail* へ置換。セッション Cookie 名を __Host-checkin_session から __Host-checkin_email_verified_session へ変更。OpenAPI スキーマと生成コード型を整合。
顧客・請求書・決済セッション API スキーマ統一 openapi.yaml、server/gen.go	パス整理：/customer → /customers、/invoice → /invoices、/list/checkout-sessions → /checkout/sessions。各エンドポイントに EmailVerifiedSession・NewShowcaseAuth の security を追加。PatchCustomerRequest、InvoiceStatus、GetInvoicesResponse、PostInvoiceResponse スキーマ定義。InvoiceDataStatus を InvoiceStatus へ統一。
サーバハンドラ契約と実装更新 server/gen.go	ServerInterface メソッド（PatchCustomer、PostCustomer、PostInvoice）を ctx のみ受け取る形へ変更。ServerInterfaceWrapper 実装を再構成：POST/PATCH メソッドはアンマーシャリング省略、GET メソッドはクエリパラメータバインディング継続。ルーティング登録パスと埋め込み Swagger 仕様を更新。

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• traPtitech/Checkin-openapi#10: メール検証エンドポイント（/verify-email）の導入と型定義（VerifyEmail* 系）を行った先行PR。本PR では verify-email 系の型・スキーマを PostVerifyEmail* へ置換し、同一領域の仕様を再構成しています。

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	PRタイトルは主な変更内容「securitySchemesとsecurityを追加」を正確に反映しており、簡潔で明確である。
Linked Issues check	✅ Passed	Linked issue #11の要件「openapi.yamlにsecuritySchemesとsecurityを記述する」が、コード変更（新規追加されるsecuritySchemes定義と複数エンドポイントへのsecurity設定）によって完全に満たされている。
Out of Scope Changes check	✅ Passed	セキュリティスキーム追加に直結した変更のみで、API仕様の更新（エンドポイント名変更など）もセキュリティ定義の追加とともに行われており、スコープ内の一貫した変更である。
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/issue-11

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

openapi.yaml (2)

16-18: ⚡ Quick win

operation.description を足して Spectral warning を消してください。

この 4 operations は summary だけなので、今の lint 警告が残ります。短い description を入れておくと、CI と生成ドキュメントの見通しが良くなります。

Also applies to: 42-45, 133-140, 227-234

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@openapi.yaml` around lines 16 - 18, The Spectral warnings are caused by POST
operations that only have a summary; add a short operation.description for each
flagged POST (e.g., the operation with summary "isct メールアドレスの確認メールを送信" and the
three other POST operations flagged by the linter) so each operation object
contains both summary and description; update each operation block to include an
operation.description string (one or two concise sentences) describing the
endpoint behavior to satisfy the linter and improve generated docs.

---

206-210: ⚡ Quick win

空の PATCH と未知キーを spec 上で許してしまっています。

今の定義だと requestBody 自体が optional で、PatchCustomerRequest も全フィールド optional / additionalProperties 未指定なので、body なし・{}・typo キー付きの更新が全部 valid になります。部分更新でも最低 1 項目は要求し、未知キーは弾いた方が契約として安全です。

差分案

   patch:
     summary: Customer を更新
     tags:
       - Customer
     operationId: patchCustomer
     requestBody:
+      required: true
       content:
         application/json:
           schema:
             $ref: '`#/components/schemas/PatchCustomerRequest`'
@@
     PatchCustomerRequest:
       description: Customer 更新リクエスト (すべてのフィールドはオプショナル)
       type: object
+      additionalProperties: false
+      minProperties: 1
       properties:
         email:
           type: string
           description: Email

Also applies to: 541-553

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@openapi.yaml` around lines 206 - 210, requestBody is currently optional and
PatchCustomerRequest allows empty bodies and unknown keys; make the body
required and tighten the schema by adding requestBody.required: true and in
components.schemas.PatchCustomerRequest set additionalProperties: false and
minProperties: 1 (keep individual fields optional to allow partial updates), and
apply the same changes to the other PATCH schemas mentioned (e.g., the other
Patch* schemas at the noted range) so an empty object and unknown/typo keys are
rejected by the spec.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@openapi.yaml`:
- Around line 16-18: The Spectral warnings are caused by POST operations that
only have a summary; add a short operation.description for each flagged POST
(e.g., the operation with summary "isct メールアドレスの確認メールを送信" and the three other
POST operations flagged by the linter) so each operation object contains both
summary and description; update each operation block to include an
operation.description string (one or two concise sentences) describing the
endpoint behavior to satisfy the linter and improve generated docs.
- Around line 206-210: requestBody is currently optional and
PatchCustomerRequest allows empty bodies and unknown keys; make the body
required and tighten the schema by adding requestBody.required: true and in
components.schemas.PatchCustomerRequest set additionalProperties: false and
minProperties: 1 (keep individual fields optional to allow partial updates), and
apply the same changes to the other PATCH schemas mentioned (e.g., the other
Patch* schemas at the noted range) so an empty object and unknown/typo keys are
rejected by the spec.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6ffeb3ea-a9ae-4183-8d7b-271787cde57b

📥 Commits

Reviewing files that changed from the base of the PR and between 913b903 and 310964d.

📒 Files selected for processing (2)

• openapi.yaml
• server/gen.go