express-openapi-validator icon indicating copy to clipboard operation
express-openapi-validator copied to clipboard

Published 20 hours ago • verified publisher icon cdimascio

If multiple securities are not met, an error is returned only for the first

Open cdimascio opened this issue 5 years ago • 1 comments

If multiple securities are configured for an endpoint and multiple are not met, the errors object only contains the first security error, instead of all security errors.

cdimascio avatar Apr 28 '20 12:04 cdimascio

This week I've been attempting to implement my own custom security handlers logic for authorization, and just came upon this same issue while testing.

I wrote up a new feature request but found this existing issue just before posting.

Here is what I was thinking of posting if any of the content would help with this issue at all:

Is your feature request related to a problem? Please describe.

The problem I am facing is when multiple SecuritySchemes are defined for an endpoint with custom security handlers for each performing authorization (permission checks), in addition to standard validation. If all security handlers reject the request for one reason or another, its always the first failure message that is returned to the client, even if another error message is more specific.

For example, consider the following security schemes defined in a spec:

securitySchemes:
  Session:
    type: apiKey
    in: cookie
    name: my_session_cookie_name
  ApiKeyAuth:
    type: apiKey
    in: header
    name: token

with validateSecurity options:

  validateSecurity: {
    handlers: {
      Session: (req, scopes, schema) => doAuthN(req, scopes, schema),
      ApiKeyAuth: (req, scopes, schema) => doAuthN(req, scopes, schema),
    },
  },

When a request comes in with a token header that fails authorization, the error message returned to the client is that the cookie my_session_cookie_name is required. Due to that security scheme being first, its failure message is always returned to the client if all schemes fail.

Describe the solution you'd like

It is already the case that standard and custom validation for all security schemes are always executed async. Could the resulting custom validation failures be prioritized as the message to returned to the client over the standard validation?

Some pseudo-code of what I'm thinking

if (customValidationErrors)
   return first(customValidationErrors)
else if (standardValidationErrors)
  return first(standardValidationErrors)

Describe alternatives you've considered

We currently use a custom express middleware to perform authorization checks, but I'd love to move that logic to utilize the security handlers hooks in this library instead. The reason being it allows authorization checks to happen before request body validation. The issue I describe above will likely keep us on custom middleware, which is fine, I understand the hooks for validating security are a convenience. If you see any alternative ways to accomplish what I'm descrbine here I'd love to hear them!

Also, thanks for providing this library, it is easy to read and easy to use!

ghost avatar Dec 20 '21 18:12 ghost