fastify-swagger icon indicating copy to clipboard operation
fastify-swagger copied to clipboard

Published 20 hours ago verified publisher icon fastify

Lists of Security Requirement Objects on an operation are not supported

Open beryxz opened this issue 1 year ago • 2 comments

Prerequisites

  • [X] I have written a descriptive issue title
  • [X] I have searched existing issues to ensure the bug has not already been reported

Fastify version

4.28.1

Plugin version

8.15.0

Node.js version

22.6

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

24.04

Description

It seems that the security property definition inside FastifySchema doesn't cover the use case of multiple different security objects on a route schema (spec. ref):

interface FastifySchema {
    ...
    security?: ReadonlyArray<{ [securityLabel: string]: readonly string[] }>;
}

The relevant part would be:

When a list of Security Requirement Objects is defined on the OpenAPI Object or Operation Object, only one of the Security Requirement Objects in the list needs to be satisfied to authorize the request.

It should then be possible to use both the following:

{
  // api_key AND bearer_token
  security: [{ api_key: [], bearer_token: [] }]
}

{
  // api_key OR bearer_token
  security: [{ api_key: [] }, { bearer_token: [] }]
}

but the "OR" solution doesn't work and throws the error:

Types of property 'security' are incompatible.
    Type '({ bearer_token: never[]; api_key?: undefined; } | { api_key: never[]; bearer_token?: undefined; })[]' is not assignable to type 'readonly { [securityLabel: string]: readonly string[]; }[]'.
      Type '{ bearer_token: never[]; api_key?: undefined; } | { api_key: never[]; bearer_token?: undefined; }' is not assignable to type '{ [securityLabel: string]: readonly string[]; }'.
        Type '{ bearer_token: never[]; api_key?: undefined; }' is not assignable to type '{ [securityLabel: string]: readonly string[]; }'.
          Property 'api_key' is incompatible with index signature.
            Type 'undefined' is not assignable to type 'readonly string[]'.

Link to code that reproduces the bug

No response

Expected Behavior

It should be possible to use both solutions in the security property.

beryxz avatar Aug 21 '24 02:08 beryxz

Thanks for reporting! Would you like to send a Pull Request to address this issue? Remember to add unit tests. We use tsd for type tests.

mcollina avatar Aug 22 '24 02:08 mcollina

Sure, here it is; I hope everything is in order.

The new tests explicitly use undefined as errors weren't raised without it. The initial stack trace was probably a consequence of using Fastify with the TypeBoxTypeProvider.

beryxz avatar Aug 23 '24 17:08 beryxz

As per my comment here. https://github.com/fastify/fastify-swagger/pull/817#issuecomment-2323759607

It is working intended because of how TypeScript reflect the array types. You can either place all together which allows proper infer or use as const to provides actual types.

climba03003 avatar Sep 02 '24 03:09 climba03003