-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Confusing message when authenticator result type is invalid
#38
Comments
This is confusing. So, let's say you have an operation that has a security requirement like:
Now, if someone authenticates with a good sessionKey, we're never going to even try to authenticate against basicAuth. If someone authenticates with a bad sessionKey, though, should we continue on to try basicAuth, or should we reject immediately? What if they have good basicAuth credentials and a bad sessionKey? It's tempting to say we should reject immediately, but then, if you have a good basicAuth and a bad sessionKey and you get this security requirement:
where basicAuth and sessionKey are reversed, then we'd accept this (since we'd pass the basicAuth, and never bother to check the sessionKey). It's kind of weird that we pass in the one case, and fail in the other, just because the order of security requirements is different. Maybe what we should really be doing here is not short-circuiting on success - always run all the authenticators, and if any of them returns "invalid" we fail. The only real downside to that is that exegesis-passport usually doesn't know the difference between a missing result and an invalid result, but so long as it errors on the side of "missing" it's not any worse than what we have now. |
I think the invalid credentials scenario is going to be more common with the scenario of multiple "credentials" being an edge case. The multiple credentials being passed would be also easier to spot from the request.
That a very good point. Could this flow be a possible solution? For each authenticator
I think the consumer of the API would have a clear understanding what occurred. An update to the developer documentation would be needed to call out that the order that the authenticators are run in and that the process is short-circuited on a success.
Agreed. The passport flow would be no worse than the current flow, but things would be improved for other integrations. |
Yes, although I'd suggest if there's at least one set of invalid credentials, we should still fail, even if there's also some valid passing credentials. I'm working on something - hopefully I'll have a fix for this after the weekend. |
Hi Jason, Some interesting documentation in the specification under
OR case security: # A OR B
- A
- B
AND case security: # A AND B
- A
B
It makes sense to follow the spec but I can see that it wouldn't be a small change. It would also have an impact on the authenticator results, as they would need merged together when there is multiple results. |
Sets the first failure to the first invalid result encountered. Previously only set if the result hadn't a status of 401, which resulted in a generic error message. fix exegesis-js#38
Sets the first failure to the first invalid result encountered. Previously only set if the result hadn't a status of 401, which resulted in a generic error message. fix exegesis-js#38
🎉 This issue has been resolved in version 1.0.7 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Version Info:
Problem
I built a simple API to gain an understanding of your library. There is a single endpoint that is secured with the following scheme, which uses the sample authenticator that is detailed in OAS3 Security.md
When the
session
header is missing from the request the expected message is returned with a401
status.However, if the session header is specified but it is invalid, the same message is returned.
My initial conclusion was that the library was not detecting the session header, so I went digging into the code. I got down to the
authenticate
method on inlib/oas3/Operation.js
and realised that it does detect the header, but noticed that it doesn't return the result if the security type isinvalid
.I would've expected that the message and status code that I defined and returned in the authenticator to be set in the response.
For multiple authenticators, I would expect the behaviour to the same as a successful authentication. That is, it would return the result of the first invalid authenticator encountered.
The text was updated successfully, but these errors were encountered: