[HTTP] Fix api/oas dev route (#223487)

## Summary This fixes the `api/oas` route that was broken due to missing `security.authz` param. In #220231 the `security.authz` param is asserted as non-null but when the route is assigned directly from the `internalSetup.server`, this is not the case. I believe this is the only such case where this applies. ### Checklist - [x] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. --------- Co-authored-by: Elena Shostak <165678770+elena-shostak@users.noreply.github.com>
2025-06-28 11:05:39 -04:00 · 2025-06-17 08:06:27 -05:00 · 2025-06-17 08:06:27 -05:00 · e84b0abcab
commit e84b0abcab
parent 2941d04748
1 changed files with 10 additions and 2 deletions
--- a/src/core/packages/http/server-internal/src/http_service.ts
+++ b/src/core/packages/http/server-internal/src/http_service.ts
@ -273,7 +273,7 @@ export class HttpService
      version: schema.maybe(schema.string()),
      excludePathsMatching: schema.maybe(stringOrStringArraySchema),
      pathStartsWith: schema.maybe(stringOrStringArraySchema),
-      pluginId: schema.maybe(schema.string()),
+      pluginId: schema.maybe(schema.string()), // i.e. `@kbn/lens-plugin`
    });

    server.route({
@ -324,7 +324,15 @@ export class HttpService
        );
      },
      options: {
-        app: { access: 'public' },
+        app: {
+          access: 'public',
+          security: {
+            authz: {
+              enabled: false,
+              reason: 'Dev only route',
+            },
+          },
+        },
        auth: false,
        cache: {
          privacy: 'public',