[express-openapi] - request authorisation - Githubissues

kogosoftwarellc / open-api

A Monorepo of various packages to power OpenAPI in node

MIT License

895 stars 237 forks source link

[express-openapi] - request authorisation #667

Open j-zimnowoda opened 4 years ago

j-zimnowoda commented 4 years ago

Hi,

The express-openapi is a great framework that I am using a lot these days.

I am wondering how do you implement request authorisation?

Here are the solutions that I came up so far:

authorization as x-express-openapi-additional-middleware

pros:

can return HTTP 403 if not authorised

cons:

is executed for all request (no knowledge about api spec security)
requires parsing operationDoc to decide if the request shall be checked or not

authorization as securityHandler

pros:

is executed only for request that have defined securitySchema

cons:

can return only HTTP 401 if not authorised (403 is preferred)
inability to throw an exception and catch it error middleware

Non mentioned approach fully satisfies me. I am wondering if you have ever faced this issue and if you have some guideline.

Regards