Any working JWT validation example?

[kkretsch]

I tried to migrate from swagger 2 to oas3 using oas3-tools 2.2.2 and the security features are still a problem.

I can add the bearer stuff for JWT tokens and select methods to need mandatory such tockens. The UI then denies access if no token is delivered. But how is the content of the JWT ever validated? I can just enter dummy stuff and get accesss to that function back. Not the way I expected this to work.

// swaggerRouter configuration
var options = {
    routing: {
        controllers: path.join(__dirname, './controllers')
    },
    logging: {
        format: 'combined',
        errorLimit: 400
    },
    openApiValidator: {
        validateSecurity: true,
        validateRequests: true,
        validateResponses: false
    }
};

If I just set validateSecurity to true this doesn't check the inner values of the JWT at all it seems.

Now if I try to add a function of my own to this:

  validateSecurity:
    {
           handlers: {
              bearerauth: auth.verifyToken
    }
  },

The function I wrote checks the JWT token like it should and either returns false (access gets denied as it should), or it returns just true -> Access is still denied by

{
  "message": "unauthorized",
  "errors": [
    {
      "path": "/v1/test",
      "message": "unauthorized"
    }
  ]
}

Has the user provided auth.verifyToken function any changed pattern? Not returning boolean but anything else now?

[camclark85]

You may have an issue with your validation function. I've successfully authenticated jwt tokens using a configuration similar to yours.

openApiValidator: {
        validateSecurity: {
            handlers: {
                BearerAuth: Auth.verifyToken,
            }
        }
    },

I'd also check to make sure the definition 'BearerAuth' in my cases matches what you have in your openapi doc.

[kkretsch]

You where right, my validation function had a minor bug with that async feedback.