-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security scheme comparison should be case-insensitive #96
Comments
hsunner
added a commit
to hsunner/aiopenapi3
that referenced
this issue
Jun 7, 2023
What do you think about using constr(to_lower=True) as annotation for scheme instead of adjusting the comparisons? |
I will test that shortly. I'm currently validating my fix based on .lower(), but yours is a more abstract solution. |
hsunner
added a commit
to hsunner/aiopenapi3
that referenced
this issue
Jun 7, 2023
Works well, once I understood what you envisaged. PR submitted. Thank's for the swift reply! |
commonism
pushed a commit
to hsunner/aiopenapi3
that referenced
this issue
Jun 7, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The code in Request._prepare_secschemes() compares the component.securitySchemes[].scheme value case-sensitive to lower-case constants, but the names of security schemes are not case-sensitive in the OpenAPI spec. The situation is messy, but it seems RFC7235 sec2.1 is regarded as authoritative in which constants are case-insensitive.
In addition, in the same code the component.securitySchemes[].bearerFormat value is used as a Python template string, which is incorrect. It is in fact a documentation hint to a human reader (e.g. to know that it is a JWT token that can be decoded).
I am prepared to make a PR for this (it's a 5 LOC change).
References:
OAI/OpenAPI-Specification#1876
https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
https://datatracker.ietf.org/doc/html/rfc7235#section-2.1
The text was updated successfully, but these errors were encountered: