License URL Ignored, Redirects to SPDX Instead of Custom URL

[elmiomar]

Description:

When using the Stoplight Elements API to render an OpenAPI specification, the license.url field is ignored, and instead, the system defaults to an SPDX URL format. Clicking on the license link redirects to https://spdx.org/licenses/undefined.html when no identifier is given, even though the url is provided. According to the OpenAPI spec, url and identifier are mutually exclusive, and I expect the url to be used when it is provided, instead of defaulting to an SPDX identifier.

Steps to Reproduce:

1. Create an OpenAPI specification that uses a License object with a url field:

   {
     "openapi": "3.0.0",
     "info": {
       "title": "Sample API",
       "version": "1.0.0",
       "license": {
         "name": "NIST Software",
         "url": "https://www.nist.gov/open/copyright-fair-use-and-licensing-statements-srd-data-software-and-technical-series-publications"
       }
     }
   }

2. Use Stoplight Elements API as described in Stoplight Elements Documentation to render the OpenAPI spec.

3. Click on the license link.

Expected Behavior:

The license link should direct to the provided url (https://www.nist.gov/open/copyright-fair-use-and-licensing-statements-srd-data-software-and-technical-series-publications), even when no identifier is provided.

Actual Behavior:

The license link incorrectly redirects to https://spdx.org/licenses/undefined.html, indicating that the url field is being ignored and the system is defaulting to an SPDX identifier even when no identifier is provided.

Additional Notes:

• According to the OpenAPI specification, the identifier and url fields are mutually exclusive, so only one of them should be used. In this case, if the url is provided, it should be respected and used for the license link.
• Currently, Stoplight Elements defaults to SPDX behavior even when no identifier is provided, leading to incorrect redirection to https://spdx.org/licenses/undefined.html.

Screenshot:

Environment:

• HTML setup: Following Stoplight Elements Documentation

  <script src="https://unpkg.com/@stoplight/elements/web-components.min.js"></script>
  <link rel="stylesheet" href="https://unpkg.com/@stoplight/elements/styles.min.css">

• Browser: Chrome - Version 128.0.6613.85 (Official Build) (arm64)

• OS: macOS Sonoma 14.6.1

Please let me know if you need additional information.

[elmiomar]

Looking at the code, I think I know what the issue is.

This problem happen because of how the || and ternary (? :) operators are being used together. The right-hand part of the expression in the license URL logic is being evaluated, even when a license.url is provided.

Current Logic:

const licenseUrl =
  license?.url || license?.identifier ? `https://spdx.org/licenses/${license?.identifier}.html` : undefined;

This will cause the SPDX URL to be built whenever the identifier is present or when only the license.url is intended to be used. This is because of operator precedence: the ternary expression is evaluated before the || operator can short-circuit based on license?.url.

Suggested Change:

const licenseUrl = license?.url ? license?.url : license?.identifier ? `https://spdx.org/licenses/${license?.identifier}.html` : undefined;

This will ensure that:

• The license.url is used when it is provided.
• The SPDX URL is only used if license.identifier is present and no url is provided.

This should fix the issue and respect the mutually exclusive behavior between url and identifier.

[github-actions]

This ticket has been labeled jira. A tracking ticket in Stoplight's Jira (PROVCON-2956) has been created.

[mnaumanali94]

@elmiomar Would you mind creating a PR for this please and add some tests? We'd be happy to review and merge.

[elmiomar]

@mnaumanali94 I've created PR #2724.