Provide first-class (generated) code to support authentication/authorization

Question

Provide first-class (generated) code to support authentication/authorization

jamietanna opened this issue 4 months ago · comments

As part of #1254 I'm looking at documenting the way that securitySchemes works, and it turns out it's a little more lackluster than I remember.

Right now, if you define an endpoint i.e.:

  /apiKey:
    get:
      operationId: apiKey
      description: Perform an authenticated request, using an API Key in the `X-API-Key` header
      security:
        - apiKey: []
      responses:
      # ... snip

This generates only the following code:

@@ -20,7 +20,6 @@ import (
 )
 
 const (
+       ApiKeyScopes    = "apiKey.Scopes"
        BasicAuthScopes = "basicAuth.Scopes"
 )
 
@@ -55,8 +54,6 @@ type MiddlewareFunc func(http.Handler) http.Handler
 func (siw *ServerInterfaceWrapper) ApiKey(w http.ResponseWriter, r *http.Request) {
        ctx := r.Context()
 
+       ctx = context.WithValue(ctx, ApiKeyScopes, []string{})
+
        handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
                siw.Handler.ApiKey(w, r)
        }))

This still requires a lot of work to hand-roll server-side authentication.

We should instead generate

We can generated ??, and then rely on an implemented method sfor

multi reoutes

k
Although it can be possible to use the middleware to authenticate, I believe it's an area we can improve on.

We'll need to consider:

the existence of the middleware(s) to not re-authenticate
the existence of multiple means to authenticate - is it first one wins?

This should be opt-in.

Example schema:

Some code can be found in 09adbb0

See also:

#843
#177
#221
#911

Alexander Hedges · Answer 1 · Thu Jun 06 2024 17:00:24 GMT+0800 (China Standard Time)

The current approach sort of works if you restrict yourself to one security scheme per endpoint. We are currently using a middleware which checks the request against the given authenticators. Using it looks something like this:

serverOptions := demo.ChiServerOptions{
	...
	Middlewares: []demo.MiddlewareFunc{
		OAPICodegenAuthMiddleware(map[string]Authenticator{
			api.ApiKeyScopes:    ApiKeyAuthenticator(db),
			api.BasicAuthScopes: BasicAuthenticator(usernamePasswordHashes),
		})},
}

Alexander Hedges · Answer 2 · Thu Jun 06 2024 17:08:34 GMT+0800 (China Standard Time)

For the issue with multiple security schemes per endpoint see #1644.

Our middleware currently resolves this problem by always assuming OR (which is the more common case) and disallowing AND-ing security schemes, but that has other drawbacks.

Marcin Romaszewicz · Answer 3 · Thu Jun 06 2024 19:54:41 GMT+0800 (China Standard Time)

IMO, putting anything to do with auth scopes into the generated code was a mistake, because it's a runtime behavior handled properly by openapi3filter. I have an API running at my workplace which has a complex specification with multiple schemes and it works ok.

I think we should deprecate authentication logic from the generated code altogether, and I'm happy to clean up the middleware or example to make it clear how to do this. Our middleware was written when openapi3filter was quite more primitive, and we could use it better today.