vertx-web
vertx-web copied to clipboard
vert-x3
Cannot use per-operation AuthorizationHandlers with vertx-web-openapi
Version
4.3.0
Context
After the introduction of RFC: Web Handlers Setup Mistake Free in vertx 4.3.0, we can no longer register AuthorizationHandler per-operation when using vertx-web-openapi.
Before vertx 4.3.0 we would use the RouterBuilder similar to:
routerBuilder
.operation("awesomeOperation")
.handler(// AuthZ handler)
.handler(// User handler);
With the upgrade to 4.3.0 it now fails with:
java.lang.IllegalStateException: Cannot add [AUTHORIZATION] handler to route with [USER] handler at index 2
The referenced USER handler is the ValidationHandler auto-generated by the open api spec.
Do you have a reproducer?
Not currently
Any update or recommended work-around?
This is currently blocking us from upgrading to vertx 4.3
I am also running into this. It's because the OpenAPI3 router builder adds ValidationHandlerImpl which is a USER handler.
I think vertx-web needs to implement some sort of runtime sorting of handlers if we are to continue using things like the OpenAPI libs which insert multiple handlers when createRouter() is called, which has given the client programmer the chance to install a whole host of their own.
Also, for context, im in a similar situation: My API needs to have some endpoints that do not have authentication AND it needs extra authorization handlers on another subset.
@ikstewa fyi you can turn this check off by doing
System.setProperty("io.vertx.web.router.setup.lenient", "true");
before building the router.
We're able to upgrade and get past the check however the check is correct. We're running our AuthZ checks after the body validations. So for example if I have an authentic token which does not have authorization for this particular route, the request body validation is going to be ran before the AuthZ check.
The core issue is: How are you supposed to register AuthZ handlers per-route, such that they are ran before the validation handlers?
After this pull request it's possible to register AuthZ handlers using a new method on the operation. The original example is supported as:
routerBuilder
.operation("awesomeOperation")
.authorizationHandler(// AuthZ handler)
.handler(// User handler);
@vietj @pmlopes Does this seem like a reasonable approach to support?
I think this would help me because our issue is only that we need to attach authorization handlers.
I'd also like to add operation specific authorization handlers. The lenient workaround works, although it prints warnings for all routes with authorization handlers.
If I understand the code in OpenAPI3RouterBuilderImpl correctly there is currently no way to use AuthorizationHandlers with the openapi module.
https://github.com/vert-x3/vertx-web/blob/58678777c7607289a0b6b8cb87a514155017217f/vertx-web-openapi/src/main/java/io/vertx/ext/web/openapi/impl/OpenAPI3RouterBuilderImpl.java#L278-L296
Is there any other way to register authorization handlers wit openapi that I am missing? If so: which one?
The solution of @ikstewa looks great. Are there any reason besides no time/resources for review that prohibit a merge?
The new OpenAPI module which supports both OpenAPI 3.0 and 3.1 does solve this issue. There is no need for being lenient or adding more methods to the API that would perform the same result.
A regression test is added to ensure this case passes
