search

lukeautry / tsoa

Build OpenAPI-compliant REST APIs using TypeScript and Node
MIT License
3.42k stars 489 forks source link

Add 'cookie' as an allowable apiKey location in securitySchemes #1548

Closed tomlewis0 closed 5 months ago

tomlewis0 commented 6 months ago

Hi! 👋

Firstly, thanks for your work on this project! 🙂

Sorting

Expected Behaviour

cookie is an allowable value for in in the securitySchemes object along with the existing values of query and header.See: https://swagger.io/specification/#security-scheme-object I would expect to be able to build the the open api spec with a configured security definition such as this:

const specOptions: ExtendedSpecConfig = {
  securityDefinitions: {
    "cf_jwt_cookie": {
      "type": "apiKey",
      "in": "cookie",
      "name": "CF_Authorization"
    },
    ...
  }
}

Current Behaviour

TSError: ⨯ Unable to compile TypeScript:
scripts/build.ts:60:9 - error TS2322: Type '"cookie"' is not assignable to type '"query" | "header"'.

Possible Solution

I've been running with this patch for a little while.

diff --git a/node_modules/@tsoa/runtime/dist/swagger/swagger.d.ts b/node_modules/@tsoa/runtime/dist/swagger/swagger.d.ts
index e766671..4407ebb 100644
--- a/node_modules/@tsoa/runtime/dist/swagger/swagger.d.ts
+++ b/node_modules/@tsoa/runtime/dist/swagger/swagger.d.ts
@@ -337,7 +337,7 @@ export declare namespace Swagger {
     export interface ApiKeySecurity extends BaseSecurity {
         type: 'apiKey';
         name: string;
-        in: 'query' | 'header';
+        in: 'query' | 'header' | 'cookie';
     }
     interface BaseOAuthSecurity extends BaseSecurity {
         scopes?: OAuthScope;

Context (Environment)

Version of the library: v6.0.1 Version of NodeJS: v20.10.0

Breaking change?

None breaking change

This issue body was partially generated by patch-package.

github-actions[bot] commented 6 months ago

Hello there tomlewis0 👋

Thank you for opening your very first issue in this project.

We will try to get back to you as soon as we can.👀

jackey8616 commented 6 months ago

I also found out that, in OAS3.0, securitySchemeObject specification is not contains 'basic' type. But specGenerator3 includes this logic which I think will misleading users who follows OAS3.0 specs.

https://github.com/lukeautry/tsoa/blob/f300052515436230a51b35cdbcb4bf49c2b3994b/packages/cli/src/swagger/specGenerator3.ts#L92-L97

IMO, we should remove these lines to make a correction, and it might leads to a breaking changes, which those who falsely use this will be affected. cc @WoH

github-actions[bot] commented 5 months ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days