Bug: AbstractSecurityConfig
sets security
for all paths, even those exclude
d
#3013
Open
1 of 4 tasks
Labels
area/openapi
This PR involves changes to the OpenAPI schema
Bug 🐛
This is something that is not working as expected
Help Wanted 🆘
This is good for people to work on
Description
The
AbstractSecurityConfig
adds OpenAPIsecurityScheme
andsecurity
entries to the generated spec, but it does so at the root level of the spec, instead of per endpoint.That is fine, as long as you apply the logic for all endpoints. But it also allows you to
exclude
certain paths from processing, and yet thesecurity
spec will apply for those endpoints, too. That is because it gets defined at the root level of the OpenAPI spec, instead of per path.A local
security
will overwrite the global one, but if there's an endpoint without authentication, thesecurity
should not be added to the root of the spec as there won't be a localsecurity
declaration.Related thing is that the
AbstractAuthenticationMiddleware
does not addsecurity
orsecurityScheme
to the OpenAPI spec at all. You would kinda expect that it does, similar to FastAPI'sSecurityBase
inheritors (e.g. https://fastapi.tiangolo.com/tutorial/security/simple-oauth2). You have to separately providesecurity=
in decorators/routers. But that's another thing, I guess.MCVE
N/A at this point but ping if unclear and I'll add.
Litestar Version
2.4.5
Platform
Note
While we are open for sponsoring on GitHub Sponsors and
OpenCollective, we also utilize Polar.sh to engage in pledge-based sponsorship.
Check out all issues funded or available for funding on our Polar.sh dashboard
The text was updated successfully, but these errors were encountered: