987Nabil
commented
9 months ago @jdegoes would you like to add some requirements?
Open 987Nabil opened 9 months ago
987Nabil
commented
9 months ago @jdegoes would you like to add some requirements?
jdegoes
commented
8 months ago I prefer to split the generic Authorization header codec into specific ones.
jdegoes
commented
8 months ago /bounty $100
algora-pbc[bot]
commented
8 months ago /attempt #2592 with your implementation plan/claim #2592 in the PR body to claim the bountyThank you for contributing to zio/zio-http!
hanneshauer
commented
8 months ago OpenAPI 3.1 allows for using scopes even on Non-OAuth2-Security Schemes (example).
It would be great if zio-http allowed declaration of scopes on any Authorization type, and generation of matching OpenAPI-specs. Declaring permissions as types or values and expressing that one of potentially multiple allowed ones is required for an Endpoint would be very useful, and could allow for thorough authorization-testing of APIs.
While authorization would typically be handled by middleware, OpenAPI-generation probably can't be modified by that. I think having a way to (optionally) express authorization requirements on header inputs that can be retrieved both for API specs but also e.g. tests, with middleware being responsible for augmenting "raw" header inputs with appropriate permissions (by reading OAuth-scopes from a bearer token, matching Basic Auth-Information against a database, ...), would be an awesome way to encode security requirements in a zio-http-API. Security should be a first-class citizen of an API, like any other input like a path or request body.
jdegoes
commented
8 months ago @hanneshauer I like that idea. 👍
Currently, we can require the authorization header in the endpoint API, but we do not know, if this is for example Basic Auth or Bearer Auth. This makes it impossible to generate auth schemas for OpenAPI for example.
Two possible solutions might be
EndpointAuthorizationheader codec into specific ones (HeaderCodec.basicAuthetc)