Having heterogeneous combinations of security handlers does not work properly

[mohak2006]

If a particular endpoint spec contains multiple security handlers with both AND and OR conditions according to the "Using Multiple Authentication Types" section on this link: https://swagger.io/docs/specification/authentication/, then the behaviour of the API is not as expected.

For e.g. take following scenario:

paths:
  /health_check:
    get:
      security:
        - Handler1ThatReturnTrue: []
          Handler2ThatReturnFalse: []
        - Handler3ThatReturnTrue: []
          Handler4ThatReturnTrue: []

The Above one will fail authorization.

If you change the above scenario to:

paths:
  /health_check:
    get:
      security:
        - Handler1ThatReturnTrue: []
          Handler2ThatReturnTrue: []
        - Handler3ThatReturnTrue: []
          Handler4ThatReturnFalse: []

This scenario will pass authorization.

Somehow when you use both AND and OR combinations of security handlers, then only the first combination is respected. Can you please check and provide a fix or a workaround for this issue?

[wolfpack94]

Is there going to be any fix for this?

[deanshelton913]

This is actually blocking my use of this tool. Fix would be rad. Until then we need to use AJV

[deanshelton913]

https://github.com/cdimascio/express-openapi-validator/blob/a760af69e4625addb205fdedcd3d38253d619bc1/src/middlewares/openapi.security.ts#L63

This TODO comment kindof explaining what is missing in this codebase. IMO, this package should state this somewhere in the docs that it does not support this kindof auth... or fix it i suppose :P.

[jm12131415]

I have the same issue too. Any updates on this?