fixes security test order

middleware/swagger-security.js

@@ -131,7 +131,7 @@ exports = module.exports = function (options) {
       req.swagger.operation.security || req.swagger.swaggerObject.security;
 
       if (securityReqs && securityReqs.length > 0) {
-        async.map(securityReqs, function (secReq, cb) { // logical OR - any one can allow
+        async.mapSeries(securityReqs, function (secReq, cb) { // logical OR - any one can allow
           var secName;
 
           async.map(Object.keys(secReq), function (name, cb) { // logical AND - all must allow

test/1.2/test-middleware-swagger-security.js

@@ -40,21 +40,27 @@ var rlJson = _.cloneDeep(require('../../samples/1.2/resource-listing.json'));
 var storeJson = _.cloneDeep(require('../../samples/1.2/store.json'));
 var userJson = _.cloneDeep(require('../../samples/1.2/user.json'));
 
-var SecurityDef = function (allow) {
+var SecurityDef = function (allow, delay) {
   var self = this;
 
   if (allow === undefined) {
     allow = true;
   }
 
+  if (delay === undefined) {
+    delay = 0;
+  }
+
   this.called = false;
 
   this.func = function (request, securityDefinition, scopes, cb) {
     assert(Array.isArray(scopes));
 
     self.called = true;
 
-    cb(allow ? null : new Error('disallowed'));
+    setTimeout(function() {
+      cb(allow ? null : new Error('disallowed'));
+    }, delay);
   };
 };
 var ApiKeySecurityDef = function() {
@@ -532,6 +538,30 @@ describe('Swagger Security Middleware v1.2', function () {
       });
     });
 
+    it('should authorize first if both are true', function(done) {
+      var local = new SecurityDef(true, 400);
+      var local2 = new SecurityDef(true);
+
+      helpers.createServer([rlJson, [petJson, storeJson, userJson]], {
+        swaggerRouterOptions: swaggerRouterOptions,
+        swaggerSecurityOptions: {
+          local: local.func,
+          local2: local2.func
+        }
+      }, function (app) {
+        request(app)
+          .get('/api/securedOr')
+          .expect(200)
+          .end(function(err, res) {
+            helpers.expectContent('OK')(err, res);
+
+            assert(!local2.called);
+
+            done();
+          });
+      });
+    });
+
     it('should authorize if first is true', function(done) {
       var local = new SecurityDef(true);
       var local2 = new SecurityDef(false);

test/2.0/test-middleware-swagger-security.js

@@ -37,21 +37,27 @@ var request = require('supertest');
 
 var petStoreJson = _.cloneDeep(require('../../samples/2.0/petstore.json'));
 
-var SecurityDef = function (allow) {
+var SecurityDef = function (allow, delay) {
   var self = this;
 
   if (allow === undefined) {
     allow = true;
   }
 
+  if (delay === undefined) {
+    delay = 0;
+  }
+
   this.called = false;
 
   this.func = function (request, securityDefinition, scopes, cb) {
     assert(Array.isArray(scopes));
 
     self.called = true;
 
-    cb(allow ? null : new Error('disallowed'));
+    setTimeout(function() {
+      cb(allow ? null : new Error('disallowed'));
+    }, delay);
   };
 };
 var ApiKeySecurityDef = function() {
@@ -469,6 +475,30 @@ describe('Swagger Security Middleware v2.0', function () {
       });
     });
 
+    it('should authorize first if both are true', function(done) {
+      var local = new SecurityDef(true, 400);
+      var local2 = new SecurityDef(true);
+
+      helpers.createServer([petStoreJson], {
+        swaggerRouterOptions: swaggerRouterOptions,
+        swaggerSecurityOptions: {
+          local: local.func,
+          local2: local2.func
+        }
+      }, function (app) {
+        request(app)
+          .get('/api/securedOr')
+          .expect(200)
+          .end(function(err, res) {
+            helpers.expectContent('OK')(err, res);
+
+            assert(!local2.called);
+
+            done();
+          });
+      });
+    });
+
     it('should authorize if first is true', function(done) {
       var local = new SecurityDef(true);
       var local2 = new SecurityDef(false);