fastify-openapi-glue icon indicating copy to clipboard operation
fastify-openapi-glue copied to clipboard
verified publisher icon seriousme

Why validate before auth?

Open hacklschorsch opened this issue 1 month ago • 4 comments

Thank you for this project, I love it!

Why are security handlers run after validation?

https://github.com/seriousme/fastify-openapi-glue/blob/e7691f81dc989744fc8ffdbc8ae3908cf557558d/index.js#L112 adds the securityHandlers to the preHandler, but wouldn't it make more sense to add them to preValidation or even preParsing?

That way, unauthenticated users

  • couldn't learn payload structure by trial-and-error,
  • would tie up fewer resources,
  • run less code (which might have bugs), improving security overall.

hacklschorsch avatar Nov 18 '25 22:11 hacklschorsch

Hi,

thanks for asking! To be honest, it wasn't a concious decison from my side to use the preHandler and not one of the other hooks. It has some disadvantages (like you mentioned) but it has the advantage that if you use any request parameter in a securityHandler then at least that parameter is validated.

Security by obscurity (e.g. secret payload structure) is typically not a real security measure. And I would never have the internet connect directly to a NodeJS server, without some Web Application Firewall or proxy of sorts.

Still there might be merit in performing the checks earlier in the handler chain.

Changing it now could have some serious sideeffects for existing users (especially when combined with other fastify plugins).

What we could do is add a config option e.g. 'securityHandlerHook' to allow users to specify on which hook the securityHandler should be attached. The configured hook should of course be validated to be one of fastify's known hooks to avoid security being bypassed because of spelling errors etc.

Kind regards, Hans

seriousme avatar Nov 19 '25 17:11 seriousme

Hi Hans!

Thank you for the prompt and good answer. I'm in favor of making this configurable - that would get us the upsides without breaking existing code bases. You're right - different authentication mechanisms might require different stages in the request lifecycle. I myself profited in between opening the issue and now writing this reply from having the request body validated & parsed to JSON. So while it's a bit unfamiliar, this setup has clear advantages.

All the best & have a good week-end

Florian

hacklschorsch avatar Nov 21 '25 15:11 hacklschorsch

Still there might be merit in performing the checks earlier in the handler chain.

My own use-case is that this would make debugging a bit easier if you have funky authentication schemes and your OpenAPI schema is still evolving at rapid pace, but that's pretty fringe I suppose ^^

Plus since that part of my authentication now requires the body parsed and validated, my point is moot anyway.

hacklschorsch avatar Nov 21 '25 15:11 hacklschorsch

Well, if you don't have a real use case then let's keep it as is for now. If somebody else comes along with a similar request we can always make it configurable.

Have a good weekend too!

Kind regards, Hans

seriousme avatar Nov 21 '25 18:11 seriousme

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days'

github-actions[bot] avatar Dec 22 '25 00:12 github-actions[bot]