search

phiz71 / vertx-swagger

Swagger integration in Eclipse Vert.X world. A dynamic Vert.X router, configured with a swagger file and a swagger-codegen plugin to generate a server stub.
Apache License 2.0
86 stars 35 forks source link

Implementing a custom Auth provider is not considered #88

Closed javadch closed 2 years ago

javadch commented 7 years ago

When a path in a Swagger API spec declares secuirty, e.g., BASIC, the code gen creates a calls for User user = SwaggerRouter.extractAuthUserFromMessage(message); from the corresponding Verticle. This call retrieves the user form the headers (which the reason is not obvious to me!), and assigns an AuthProvider to the user. I would like to see how and where to do the followings:

  1. The above-mentioned procedure does not do the authentication. It should call the authProvider.authenticate(..., ...) method and decide to route the request to the implementation or to refuse it. I mean, the router can either pass the request to the implementation or reject the request with an Unauthorized status code and proper headers taken from the Wagger spec.

  2. How must a user login for the first time? Let's say I have a login endpoint; how this endpoint gets an object of AuthProvider?

  3. It is not practical to pass the username/password alongside all the requests, how can I generate and send to the client a token (let's say a random string) that can be passed to subsequent API calls as an evidence to show that the use is still authenticated. (This is something I would like the router checks and does proper action, according to #1 above.)

  4. I have my own specific authentication logic; how can I develop my own xAuthProvider (that implements Vertx's AuthProvider) and register it with the generated authentication mechanism? For example, a call like createServiceImplementation in verticles, using a dependency injection such as Guice, or even via a config file. This auth provider should be accessible to the login endpoint for logging in and out, as well as to the Swagger router to perform subsequent auth checks on incoming requests.

  5. The official PetStore swagger file comes with security and access control on some of the paths, it would be great if the there is a sample code here generated from that spec and a custom (even empty) auth provider.

javadch commented 7 years ago

I also added OAuth to security definitions and applied it on one of the paths, the generated code did not change. In addition, the code tries to deserialize the user from the request header using a specific header key. This method does not work in OAuth, JWT scenarios.

javadch commented 7 years ago

This is a nice article to get to know how to perform authentication in Vertx. Please consider that some paths may have more than one security definitions. They also may have permissions e.g., in OAuth (JWT). And more importantly, they use the Authorization header key to authorize a user after the user has successfully logged in, So use of any other header key or serializing the user object into a key, should not be considered a reliable solution.