Security bypassed when SpecRenderer plug-in enabled

[lbjw]

Hi

Mojolicious version: 8.12 OpenAPI plugin version 3.24

If you enable the SpecRender plugin, the security call back is no longer called for protected routes. For example:

    $app->plugin("OpenAPI" => {
            spec => 'file:///somewhere/spec.json',
            schema => 'v3',
            plugins                        => [qw(+SpecRenderer)],
            render_specification           => 1,
            render_specification_for_paths => 1,
            security => {
                    bearerAuth => \&bearerAuth,
            },
    });

The bearerAuth is specified in the OpenAPI JSON spec file. With SpecRenderer enabled, the bearerAuth sub callback is never executed. If you remove the plugin, it is executed. This seems to be a pretty serious security flaw.

Thanks

[jhthorsen]

It's not so strange, since you are only loading SpecRenderer and not Security in your example code.

FYI: Cors, SpecRenderer and Security is loaded by default. References:

• https://github.com/jhthorsen/mojolicious-plugin-openapi/blob/ee4d5c9346cd53194451a5509231ffe2e03c36fe/lib/Mojolicious/Plugin/OpenAPI.pm#L58
• https://github.com/jhthorsen/mojolicious-plugin-openapi/blob/master/t/plugin-security-v3.t