chadxz
commented
3 years ago If you're checking multiple security handlers, and they both throw with messages, which message do you choose?
Open malnor opened 3 years ago
chadxz
commented
3 years ago If you're checking multiple security handlers, and they both throw with messages, which message do you choose?
medfreeman
commented
3 years ago Hi, i already implemented this feature internally, by returning stored promises rejections if all the handlers fail. I'll submit this as a PR next week, this would probably be a breaking change.
So we are using express-openapi and love much of it. We implemented security handlers that we can apply to any endpoint and when the security checks are not okay, we throw and get that as the return message. But then we have cases where we need to have multiple types of checks, so that either it is okay for security handler A OR security handler B. The problem is not that won't work when you throw because then if it throws it will not continue to the next security check. The only way to get past this from what I can see (checking the code) is to return Promise.reject(false) - but then I always get the same error message:
No security handlers returned an acceptable responseandauthentication.openapi.security. The problem is now is that our explicit error messages are gone - so we can't separate between 403 (forbidden) and 401 (unauthorised).I would expect it to be possible to customise the response, both status code and message returned. Preferably I would like to throw what ever but have that work like return false does now.