Open 987Nabil opened 9 months ago
@jdegoes would you like to add some requirements?
I prefer to split the generic Authorization
header codec into specific ones.
/bounty $100
/attempt #2592
with your implementation plan/claim #2592
in the PR body to claim the bountyThank you for contributing to zio/zio-http!
OpenAPI 3.1 allows for using scopes even on Non-OAuth2-Security Schemes (example).
It would be great if zio-http allowed declaration of scopes on any Authorization type, and generation of matching OpenAPI-specs. Declaring permissions as types or values and expressing that one of potentially multiple allowed ones is required for an Endpoint would be very useful, and could allow for thorough authorization-testing of APIs.
While authorization would typically be handled by middleware, OpenAPI-generation probably can't be modified by that. I think having a way to (optionally) express authorization requirements on header inputs that can be retrieved both for API specs but also e.g. tests, with middleware being responsible for augmenting "raw" header inputs with appropriate permissions (by reading OAuth-scopes from a bearer token, matching Basic Auth-Information against a database, ...), would be an awesome way to encode security requirements in a zio-http-API. Security should be a first-class citizen of an API, like any other input like a path or request body.
@hanneshauer I like that idea. 👍
Currently, we can require the authorization header in the endpoint API, but we do not know, if this is for example Basic Auth or Bearer Auth. This makes it impossible to generate auth schemas for OpenAPI for example.
Two possible solutions might be
Endpoint
Authorization
header codec into specific ones (HeaderCodec.basicAuth
etc)