Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple scheme security requirement should be allowed #108

Closed
jormaechea opened this issue Oct 2, 2019 · 3 comments · Fixed by #109
Closed

Multiple scheme security requirement should be allowed #108

jormaechea opened this issue Oct 2, 2019 · 3 comments · Fixed by #109
Labels
released

Comments

@jormaechea
Copy link
Contributor

jormaechea commented Oct 2, 2019
edited

openapi-validator/src/plugins/validation/2and3/semantic-validators/security-ibm.js

Lines 60 to 75 in 0c0b39c

function validateSecurityObject({ security, path }) {
security.forEach(schemeObject => {
// each object in this array should only have one key - the name of the scheme
const schemeNames = Object.keys(schemeObject);
const schemeName = schemeNames[0];
// if there is more than one key, they will be ignored. the structural validator should
// catch these but in case the spec changes in later versions of swagger,
// a non-configurable warning should be printed to alert the user
if (schemeNames.length > 1) {
result.warning.push({
path,
message:
'The validator expects only 1 key-value pair for each object in a security array.'
});
}

According to the standard:

Security Requirement Objects that contain multiple schemes require that all schemes MUST be satisfied for a request to be authorized. This enables support for scenarios where multiple query parameters or HTTP headers are required to convey security information.

You're checking that each Security Requirement Object contains only one scheme, and setting a non-configurable warning.

I suggest one of the following:
a) Remove this validation, because is non-standard.
b) Make it configurable so user can decide what to do with it.

Thanks.

PD: Are you reviewing PRs?

UPDATE
This should be also be fixed, because it only labels the first one as used.

openapi-validator/src/plugins/validation/2and3/semantic-validators/security-definitions-ibm.js

Lines 77 to 78 in f8cc2bd

// each object in this array should only have one key - the name of the scheme
const name = Object.keys(scheme)[0];

@dpopp07
Copy link
Member

dpopp07 commented Oct 2, 2019

@jormaechea Thanks for pointing this out - this does look like a mistake. To answer your question, yes, we are happy to review PRs so feel free to open one!

@jormaechea
Copy link
Contributor Author

@dpopp07 Great! I'll tackle it this week and get back to you!

jormaechea added a commit to jormaechea/openapi-validator that referenced this issue Oct 4, 2019
@jormaechea
fix: Consider as valid multiple schemes in a security requirement object
4501f19 
Multiple security schemes are now considered as valid and flagged as used

Fixes IBM#108
@jormaechea jormaechea mentioned this issue Oct 4, 2019
Merged
dpopp07 pushed a commit that referenced this issue Oct 4, 2019
@jormaechea @dpopp07
fix: allow multiple schemes in a security requirement object (#109)
f02ef2b 
* Multiple security schemes are now considered as valid and flagged as used

* Fixes #108
dpopp07 pushed a commit that referenced this issue Oct 4, 2019
@semantic-release-bot
chore(release): 0.15.1 [skip ci]
79de6e7 
## [0.15.1](v0.15.0...v0.15.1) (2019-10-04)

### Bug Fixes

* allow multiple schemes in a security requirement object ([#109](#109)) ([f02ef2b](f02ef2b)), closes [#108](#108)
@dpopp07
Copy link
Member

dpopp07 commented Oct 4, 2019

🎉 This issue has been resolved in version 0.15.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
2 participants
@jormaechea @dpopp07