search

antek-drzewiecki / wine_bouncer

A Ruby gem that allows Oauth2 protection with Doorkeeper for Grape Api's
MIT License
112 stars 58 forks source link

Security definition missing in Swagger JSON. #70

Open nlsrchtr opened 6 years ago

nlsrchtr commented 6 years ago

Thanks for providing this gem, it helped me a lot and I have something up and running.

During the process of setting everything up (Grape, WineBouncer, Swagger and SwaggerUI) I ran into the issue, that in the generated Swagger definition the "security" declaration for my secured methods are missing:

module API
  module V1
    class Me < API::V1::Base
      resource :me do
        desc "Return information of authenticated user"
        oauth2
        get do
          present UserRepresenter.prepare(resource_owner)
        end
      end
    end
  end
end

Is generating the following JSON:

"/api/v1/me": {
  "get": {
    "summary": "Return information of authenticated user",
    "description": "Return information of authenticated user",
    "produces": [
      "application/vnd.api+json"
    ],
    "responses": {
      "200": {
        "description": "Return information of authenticated user"
      }
    },
    "tags": [
      "me"
    ],
    "operationId": "getApiV1Me"
  }
},

When I add desc "Return information of authenticated user", security: [{ "oauth2": []}] to the definition of the description of the method, everything works fine, but I expected WineBounce would take care of that automatically, so I wouldn't need to declare it twice.

As Oauth2 definiton I have the following setup:

"securityDefinitions": {
  "oauth2": {
    "type": "oauth2",
    "description": "The API is secured by OAuth 2.0",
    "tokenUrl": "...",
    "authorizationUrl": "...",
    "flow": "password",
    "scope": []
  }
},

And I'm using the Swagger strategy:

WineBouncer.configure do |config|
  config.auth_strategy = :swagger
  config.define_resource_owner do
    User.find(doorkeeper_access_token.resource_owner_id) if doorkeeper_access_token
  end
end

I'm currently unsure if this is a bug like discussed in https://github.com/antek-drzewiecki/wine_bouncer/issues/32 or https://github.com/antek-drzewiecki/wine_bouncer/issues/51 or an error in my setup?

Would be great to get some feedback, because I tried a lot, but didn't found a proper setup.

Thanks for your time and support!

antek-drzewiecki commented 6 years ago

Hi @nlsrchtr,

Thanks for the issue. At the time of writing WineBouncer tried to be API 1,x compliant. No securityDefinitions existed at that point. It shouldn't be hard to that it would generate securityDefinitions or both authorizations.

The only issue is when multiple authorization strategies are defined such as oauth and basic http authentication. Feel free to see if you can make it spec 2 and 3 completable :). I might have a moment later on this/next week if you don't succeed!