typera icon indicating copy to clipboard operation
typera copied to clipboard
verified publisher icon akheron

Security schemes in OpenApi V3

Open fagossa opened this issue 3 years ago • 1 comments

Hello,

I've being trying to with with an Authorization header using the following pattern

route
  .get('/user/:id(int)')
  .use(authHeader)

...
export const authHeader = Parser
    .headers(t.strict({ Authorization: t.string }))

then with typera-openapi I'am able to generate the related OpenApi v3 specs.

However, it seems that this auth technique is not supported by OpenApi anymore.

They've introduced a concept called security schemes

components:
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer

Relevant documentation is in here https://swagger.io/docs/specification/authentication/

As far as I know typera does not support security schemas and I'm wondering how this kind of feature could be implemented? maybe extending RouteConstructor? I've just discovered the library today but I'm eager to add the feature with some help.

Thanks a lot for the hard work

fagossa avatar Mar 21 '22 19:03 fagossa

Hi! I'm glad to hear you like typera and typera-openapi :)

I wasn't familiar with the security stuff in OpenAPI v3. I read the docs and am now a bit confused about the whole thing.

First, the security schemes are more like data than types, so creating security schemes automatically in typera-openapi is not straightforward. Typera-openapi does it's job solely on the type level by employing the TypeScript compiler API.

Second, the OpenAPI v3 security schemes are global in the sense that they're defined once under components.securitySchemes and then referred to by name. If there was a solution for creating security scheme definitions based on some type-level information, how to assign the global name and reuse the schemes between different routes?

Third, typera doesn't really force (or help) you in building runtime stuff like authentication in any particular way. In the NodeJS world, authentication is usually handled by sophisticated middleware libraries like passport. How to map the use of a third party middleware to any particular security scheme definition?

I think it would be nice to support this stuff, but currently I have no clue on how to do it properly.

akheron avatar Mar 23 '22 20:03 akheron