krakenjs / swaggerize-express

Design-driven apis with swagger 2.0 and express.
Other
354 stars 81 forks source link

Attempting to use multiple security definitions for a single path #97

Closed jcabarlo closed 8 years ago

jcabarlo commented 8 years ago

I have 2 security definitions:

    "securityDefinitions": {
        "api_key1": {
            "type": "apiKey",
            "name": "Authorization",
            "in": "header",
            "x-authorize": "middleware/manageApiKey1"
        },
        "api_key2": {
            "type": "apiKey",
            "name": "X-API-Key",
            "in": "header",
            "x-authorize": "middleware/manageApiKey2"
        }
    }

I have a path that I'd like to use both security middleware pieces for:

        "/apiCheck/": {
            "get": {
                "summary": "apiCheck for the service",
                "description": "apiCheck for the service",
                "operationId": "apiCheck",
                "parameters": [],
                "responses": {
                    "200": {
                        "description": "apiCheck success",
                        "schema": {
                            "type": "string"
                        }
                    },
                    "500": {
                        "description": "apiCheck failure",
                        "schema": {
                            "type": "string"
                        }
                    }                    
                },
                "security": [
                    {
                        "api_key1": [],
                        "api_key2": []
                    }
                ]       
            }
        }

Using the above, I thought it would run both middleware functions in the order of "api_key1" and then "api_key2". Using some console logging, I am seeing that function api_key1 gets called, but, before it finishes, api_key2 is called. In my tests, api_key1 is invalid and api_key2 is valid, but, since api_key2 gets finished before api_key1, the application is returning a 200 rather than the expected 500.

To see if I'm running into callback issues, I removed the use of security in the swagger and put them as middleware in the express app and it works as expected (returning a 500 instead of a 200).

Am I doing something wrong on my swagger security or does it not function this way?

tlivings commented 8 years ago

Auth handlers are called via async.some so they are not called in series, but rather pass when at least one passes.

ryanbecker commented 6 years ago

Are there plans to support the logical AND/OR behavior? https://swagger.io/docs/specification/2-0/authentication/