Open zetaraku opened 1 year ago
Would you like to create a PR for this?
After doing some inspection, I found the cause of this behavior is described in OpenAPI Specification, which describes the root security field as:
A declaration of which security mechanisms can be used across the API. The list of values includes alternative security requirement objects that can be used. Only one of the security requirement objects need to be satisfied to authorize a request. Individual operations can override this definition. To make security optional, an empty security requirement ({}) can be included in the array.
The root security field seems to be intended as a default setting when security is not presented on a route. (It seems not that useful.)
Applying @ApiSecurity()
on the controller instead works well and I think it is more reasonable than using a "global" setting.
Not sure if we need to change the behavior or update the docs. What do you think?
Related to this, is there a way to indicate a single operation/controller as no security requirements?
Is there an existing issue for this?
Current behavior
If any
@ApiSecurity()
decorator is present on a route, then the Available authorizations registered by global.addSecurityRequirements()
on the route are gone.Minimum reproduction code
https://github.com/zetaraku/nest-demo
Steps to reproduce
npm install
npm run start:dev
/api
route/without-decorator
and/with-decorator
routeExpected behavior
The local security requirements should be merged with the global security requirements so that both requirements are present.
Package version
6.1.4
NestJS version
9.0.0
Node.js version
16.17.0
In which operating systems have you tested?
Other
No response