search

ogen-go / ogen

OpenAPI v3 code generator for go
https://ogen.dev
Apache License 2.0
1.45k stars 86 forks source link

security: Using Multiple Authentication Types #1298

Open utherbit opened 3 months ago

utherbit commented 3 months ago

Description

My API needs multiple authentication keys at once. I can achieve this using middleware, but I have to create a blank SecurityHandler. It would be cool if the SecurityHandler provided me with key combinations.

Currently, SecurityHandler only supports the "or" option from the example below.

Desired result: For the second example, you need to generate one SecurityHandler method, not two. For the third example - two methods, not 4

References

https://swagger.io/docs/specification/authentication/ scroll to "Using Multiple Authentication Types"

Some REST APIs support several authentication types. The security section lets you combine the security requirements using logical OR and AND to achieve the desired result. security uses the following logic

security:    # A OR B
  - A
  - B
security:    # A AND B
  - A
    B
security:    # (A AND B) OR (C AND D)
  - A
    B
  - C
    D
tdakkota commented 3 months ago

To generate a method, ogen needs a method name. What name should be used? Handle<A><B> does not sound great, especially if there is more than two security requirements and each one have name longer than one letter.

Also, this is become pretty complicated, since each operation in the spec may have its own set of security requirements.

Currently, SecurityHandler only supports the "or" option from the example below.

No, ogen checks whether if it is A and B or C and D. But if you want to pass some data from security handler, you need to pass it through context.Context .

utherbit commented 3 months ago

You are right, the method name will be long. Now the signature of the security methods will go beyond the boundary, it will be even worse.

In this form it is really not an easy task.

However, I do not like the idea of ​​passing through the context, I wrote my http middleware over ogen to not pass the authentication data through the context, because in this case it is not obvious to me at what point the information collection will end and it will be possible to start processing it, unless in the middleware that will be executed after the security handler.

Since I wrote my middleware for authorization, I will have to implement a dummy SecurityHandler, since it is mandatory.

I like the logic that currently checks authentication (with a bitmap). But I think it is enough that it checks for the presence of the required headers.

I have an idea, which is probably not the best. Maybe it would be more convenient to make one handler for all authentication methods? I see this as a ServerOption similar to WithErrorHandler or WithNotFound eg WithAuthenticationHandler

Changes to this logic will be critical in any case, so I don't expect a decision to be made anytime soon.