Closed SHildebrandt closed 1 year ago
I think adding some flag to overwrite the default behaviour regarding protected routes would be a great idea.
Imho, adding it to OpenApiRoute
isnt't an issue and is probably the best place to put it - i think it even contains some meta-information already and im not trying to model the exactly structure of the openapi-spec anyway.
It seems that the
securitySchemeName
on a specific route is only applied when the route is authenticated in Ktor. However, in our context the Ktor application itself is unauthenticated, but is behind a gateway which performs the authentication (this may even be route-specific, so some routes may be authenticated, others may be unauthenticated).I see that you're also using
RouteMeta.isProtected
for deciding whether to add thedefaultUnauthorizedResponse
-- that might be a similarly problematic case.Maybe it would be possible to give a hint, that the route is protected externally? I'm open to implement it myself and create a PR, but I'm not sure where the preferred place would be to put that information. The
OpenApiRoute
might be a good place, but so far it only contains stuff which is really OpenAPI-specific and does not have such "meta-information".