Optional Security Definitions

[rkarodia]

Is it possible to have optional security definitions? I have to spec an API that either has basic auth or is publicly accessible. However Swagger doesn't seem to cater for this scenario and as a result I can't use swaggerize-express correctly. If I specify basic auth in the swagger yaml file, then swaggerize-express always results in a validation failure when no Authorization header is present.

[tlivings]

Can you describe the use case in a little more detail, I am not sure I am following.

Do you mean make authorization optional?

[rkarodia]

I have an endpoint that works whether the Authorization header is present or not. If it is present I want to use the Security Middleware with the x-authorize option to call the appropriate authentication logic. However if no Authorization header is present, I don't want Swaggerize to fail the validation checks that it does according to the Swagger spec.

[jsdevel]

@rkarodia the current spec (as it currently stands), really doesn't allow operations to sometimes require authorization. They either always require it or they never require it.

[jdgiotta]

@jsdevel I hate to bring this back into the light, but has the spec changed to allow optional authentication? I'm writing open spec based on an existing API. The creators of the API allow for rate limited non-authenticated access (like Google Maps), but require authentication if you're using beyond the limit. It really sounds like specific BI, but I was trying to be a boy scout and write the spec properly.