swagger-express-middleware icon indicating copy to clipboard operation
swagger-express-middleware copied to clipboard

Published 20 hours ago verified publisher icon APIDevTools

Add a simple check for oauth security

Open ACTLEM opened this issue 6 years ago • 0 comments

Today, only apiKey and basic authorization are managed for security. For oauth, we need to have a trusted application. But today, we can imagine a first by just checking the Authorization header like the basic authorization.

In request-validator.js, add the check in http401 as below:

        if (securityDef.type === 'basic') {
          return _.startsWith(req.header('Authorization'), 'Basic ');
        } else if (securityDef.type === 'oauth2') {
          return _.startsWith(req.header('Authorization'), 'Bearer ');
        } else if (securityDef.type === 'apiKey' && securityDef.in === 'header') {
          return req.header(securityDef.name) !== undefined;
        }
        else if (securityDef.type === 'apiKey' && securityDef.in === 'query') {
          return req.query[securityDef.name] !== undefined;
        }
        else {
          // For any other type of security, just assume it's valid.
          // TODO: Is there a way to validate OAuth2 here?
          return true;
        }

ACTLEM avatar Feb 27 '18 14:02 ACTLEM