search

bitwarden / passwordless-server

Bitwarden Passwordless.dev infrastructure/backend (API, database, Docker, etc).
https://bitwarden.com/
Other
83 stars 26 forks source link

PAS-580 | Use OpenApiSecurityRequirement instead of headers for auth #739

Open jonashendrickx opened 4 days ago

jonashendrickx commented 4 days ago

Ticket

Description

This change will benefit improved client code generated from the Open API schema we provide.

Shape

Screenshots

References the authentication scheme name for every request.

"/magic-links/send": {
      "post": {
        "tags": [
          "Magic Links"
        ],
        "summary": "Sends an e-mail containing a magic link template allowing users to login.",
        "externalDocs": {
          "description": "External Documentation",
          "url": "https://docs.passwordless.dev/guide/api.html#magic-links-send"
        },
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/SendMagicLinkRequest"
              }
            }
          },
          "required": true
        },
        "responses": {
          "400": {
            "description": "🔴 Bad request, see problem details for more info.",
            "content": {
              "application/problem+json": {
                "schema": {
                  "$ref": "#/components/schemas/HttpValidationProblemDetails"
                }
              }
            }
          },
          "204": {
            "description": "✅ Everything is OK, response is empty."
          },
          "429": {
            "description": "🔴 Too many requests, see problem details for more info.",
            "content": {
              "application/problem+json": {
                "schema": {
                  "$ref": "#/components/schemas/ValidationProblemDetails"
                }
              }
            }
          }
        },
        "security": [
          {
            "ApiSecret": [ ]
          }
        ]
      }
    },

The defined security schemes:

"securitySchemes": {
      "ApiKey": {
        "type": "apiKey",
        "description": "Front-end integrations",
        "name": "ApiKey",
        "in": "header"
      },
      "ApiSecret": {
        "type": "apiKey",
        "description": "Back-end integrations",
        "name": "ApiSecret",
        "in": "header"
      }
    }

image

image

Checklist

I did the following to ensure that my changes were tested thoroughly:

I did the following to ensure that my changes do not introduce security vulnerabilities:

codecov[bot] commented 4 days ago

Codecov Report

Attention: Patch coverage is 44.18605% with 24 lines in your changes missing coverage. Please review.

Project coverage is 35.19%. Comparing base (e77ce32) to head (f75cdac).

Files with missing lines Patch % Lines
...pi/OpenApi/Filters/AuthorizationOperationFilter.cs 0.00% 24 Missing :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #739 +/- ## ========================================== + Coverage 35.17% 35.19% +0.02% ========================================== Files 579 579 Lines 31247 31281 +34 Branches 898 898 ========================================== + Hits 10990 11009 +19 - Misses 20114 20129 +15 Partials 143 143 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.