search

vert-x3 / vertx-web

HTTP web applications for Vert.x
Apache License 2.0
1.11k stars 535 forks source link

[vertx-web-openapi-router] Can't add an authentication handler to a route that uses a validator #2535

Closed lukasjelonek closed 9 months ago

lukasjelonek commented 11 months ago

Version

4.5.0

Context

I evaluated the new RouterBuilder and get an exception when I add an AuthenticationHandler to a route that has doValidation set to true (the default value).

[...]
      rb.getRoute("my-route")
          .addHandler(oauthHandler)
          .addHandler(ctx -> ctx.end());
      var router = rb.createRouter();
[...]
java.lang.IllegalStateException: Cannot add [AUTHENTICATION] handler to route with [INPUT_TRUST] handler at index 0
        at io.vertx.ext.web.impl.RouteState.addContextHandler(RouteState.java:555)
        at io.vertx.ext.web.impl.RouteImpl.handler(RouteImpl.java:143)
        at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
        at io.vertx.ext.web.openapi.router.impl.RouterBuilderImpl.createRouter(RouterBuilderImpl.java:107)
[...]

A peek to the source code of createRoute revealed, that the InputTrustHandler, that validates the request, is always added first to the handler-chain. In combination with the strict handling of the handler weights in RouteState this makes it impossible to add any AuthenticationHandler to such a route.

A workaround might be to disable validation for all routes and then to add the validation handler manually at the respective position.

Would it be possible to add the InputTrustHandler to a valid position of the handler-chain? e.g.

  1. add all handlers to the route until the INPUT_TRUST category
  2. add the generated InputTrustHandler
  3. add the remaining handlers

Extra

lukasjelonek commented 11 months ago

I just saw, that the master branch already handles this problem. It won't be backported to the 4.x branch, won't it? If not I will just wait for the vertx 5 release and give it a try then.

pk-work commented 9 months ago

HI @lukasjelonek I tried to backport it to 4.x a while ago, but it was to difficult because the security validation features rely on other features added to vertx-web.

So unfortunately you have to wait for Vert.x 5. another workaround would be adding an AuthHandler without the marker interface to the OpenAPIRoute, so it won't be detected. Or disable the checks [1].

Does this "solves" your issue?

[1] https://github.com/vert-x3/vertx-web/issues/2182#issuecomment-1132206606

lukasjelonek commented 9 months ago

@pk-work Thanks for the information. Using the lenient mode for the router does work. I already had to use it in the old openapi implementation and have not thought that it is supported in the new openapi implementation. This solves the issue for me.