Closed RomanHotsiy closed 1 month ago
I like the first approach better as it allows fine-grained exceptions. However, I'd make the method
property plural to be able to specify several methods. Also, we can make it optional and ignore an entire path if there are no methods specified.
FYI:
If you define security on the operation or path item as
security: []
it means security is explicitly defined as no security, it won't trigger the rule.
I mention it in the docs here: https://redocly.com/docs/cli/rules/security-defined/#api-design-principles
@RomanHotsiy do you think we still need this adjustment? Is there a case that couldn't be easily covered by the empty security as @adamaltman suggests?
Yes. Still makes sense.
Is your feature request related to a problem? Please describe.
Very often API define a health endpoint which is not protected by any kind of auth.
Our
security-defined
rule always reports this as a problem.Surely, it can be ignored with ignore file but this is a problem for users who constantly onboard new APIs. Configurable rule can't be used here as it doesn't cover security defined on different levels (operation vs root).
Describe the solution you'd like
Add support for
exceptions
config option to the rule:Describe alternatives you've considered
I used
exceptions
as we use this term inpath-segment-plural
rule. Let me know if you have better suggestions.Another alternative is to have a simpler list of exceptions (only path)
What do you think?