Open geirolz opened 7 months ago
I think the solution is to simply make all path components a .securityIn
. The inputs differ in the order of decoding: first all security inputs are decoded, the security logic is run, and then the rest of the inputs. See the note here: https://tapir.softwaremill.com/en/latest/endpoint/security.html#authentication-inputs
So you'd have:
val getUser = endpoint
.securityIn(sttp.tapir.auth.bearer[AuthEncodedToken]())
.securityIn("user")
.securityIn(path[UserId]("id"))
Thanks @adamw for the quick reply.
Do you this as a workaround or a definitive solution ? Because in this way then in serverLogic
I won't have access to UserId
Yes, then whatever security logic returns is available to the server logic - this might include any "raw" values from the inputs that are needed by the security logic to be also consumed by the server logic.
Given this code I have some doubts
The problem is that with this design within
serverSecurityLogic
i can just decode the token, if I want to check that the token has the rights to access that user I have to move this logic inserverLogic
because I don't have access to theUserId
. This force to have the security logic in two places.It would be great to have access to the endpoint path values within
serverSecurityLogic
in order to have the security checks all in one place.Am I not seeing it right ? Is there a solution ?