security scheme comparison should be case-insensitive #96
Comments
hsunner
added a commit
to hsunner/aiopenapi3
that referenced
this issue
Jun 7, 2023
|
What do you think about using constr(to_lower=True) as annotation for scheme instead of adjusting the comparisons? |
|
I will test that shortly. I'm currently validating my fix based on .lower(), but yours is a more abstract solution. |
hsunner
added a commit
to hsunner/aiopenapi3
that referenced
this issue
Jun 7, 2023
|
Works well, once I understood what you envisaged. PR submitted. Thank's for the swift reply! |
commonism
pushed a commit
to hsunner/aiopenapi3
that referenced
this issue
Jun 7, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The code in Request._prepare_secschemes() compares the component.securitySchemes[].scheme value case-sensitive to lower-case constants, but the names of security schemes are not case-sensitive in the OpenAPI spec. The situation is messy, but it seems RFC7235 sec2.1 is regarded as authoritative in which constants are case-insensitive.
In addition, in the same code the component.securitySchemes[].bearerFormat value is used as a Python template string, which is incorrect. It is in fact a documentation hint to a human reader (e.g. to know that it is a JWT token that can be decoded).
I am prepared to make a PR for this (it's a 5 LOC change).
References:
OAI/OpenAPI-Specification#1876
https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
https://datatracker.ietf.org/doc/html/rfc7235#section-2.1
The text was updated successfully, but these errors were encountered: