express-openapi-validator
express-openapi-validator copied to clipboard
Published
20 hours ago •
cdimascio
cdimascio
checkErrorWithAnd doesn't work when another SecurityScheme method has failed.
When a security scheme fails, the next scheme will fail if it requires two api keys. This is new behavior as of PR 393, whereas in the past it would validate if any of multiple grouped securitySchemes validated.
To reproduce:
security:
- cookie: []
- apiKey: []
apiKeySecret: []
If no cookie is supplied, the failure of the first validation group will not clear when the second one is validated.
The reason is obvious in src/middlewares/openapi.security.ts:
function checkErrorsWithAnd(res) {
let allSuccess = false;
res.forEach(r => {
if (!r.success) {
allSuccess = false;
if (!firstError) {
firstError = r;
}
} else if (!firstError) {
allSuccess = true;
}
})
if (allSuccess) {
success = true;
}
}
As you can see, firstError would be previously set to a truthy value by the failing validator, resulting in all subsequent validators failing.
A simple fix would be:
function checkErrorsWithAnd(res) {
let allSuccess = true;
res.forEach(r => {
if (!r.success) {
allSuccess = false;
if (!firstError) {
firstError = r;
}
}
})
if (allSuccess) {
success = true;
}
}
This way you retain the firstError from the previous validator group.
