Are securitySchemes validating?

open-api-spex / open_api_spex

Open API Specifications for Elixir Plug applications

Mozilla Public License 2.0

706 stars 183 forks source link

Are securitySchemes validating? #629

Closed pauldemarco closed 1 month ago

pauldemarco commented 1 month ago

Consider this common securityScheme in my main %OpenApi{} spec:

components: %Components{
        securitySchemes: %{
          "bearerAuth" => %SecurityScheme{
            type: "http",
            scheme: "bearer",
            bearerFormat: "JWT"
          }
        }
      }

...and I use it in this operation like so:

operation :user,
  ...
  security: [%{"bearerAuth" => []}],
  ...

...and with the basic setup like found in the phoenix example, will OpenApiSpex automatically validate that the header Authorization Bearer exists?

pauldemarco commented 1 month ago

Update: It looks like open_api_spex helps you document the security scheme, but leaves it up to us to enforce it. As per: https://github.com/open-api-spex/open_api_spex/issues/276#issuecomment-686836124

Will close this issue -- please re-open if this is not the case.

Thanks for this great library!