Support empty security

[arronzhang]

I'm submitting a...

[ ] Regression 
[ ] Bug report
[x] Feature request
[ ] Documentation issue or request
[ ] Support request => Please do not submit support request here, instead post your question on Stack Overflow.

Current behavior

When I add global security. I can't exclude one api from the @ApiSecurity().

const docBuilder = new DocumentBuilder().addSecurityRequirements('bearer')

Expected behavior

We can define global security follow the document openapi authentication and exclude from the path by set security: [] # No security.

Now we can use SetMetadata('swagger/apiSecurity', []) to hack this feature when define ClassDecorator. But the this data has been omit when define the MethodDecorator.

[kamilmysliwiec]

Would you like to create a PR for this issue?

[SathursanS]

@zzdhidden Have you solved your issue. I'm trying to remove my global authentication from my health endpoint. Also where did you set your security:[] parameter.

[arronzhang]

@SathursanS I define a empty string and then clean from the apiObject.

import { SetMetadata, CustomDecorator } from '@nestjs/common';

export const ApiEmptySecurity = (): CustomDecorator =>
  SetMetadata('swagger/apiSecurity', ['']);

export function ApiFixEmptySecurity(apiObject: any): void {
  Object.values(apiObject.paths).forEach((path: any) => {
    Object.values(path).forEach((method: any) => {
      if (Array.isArray(method.security)) {
        method.security = method.security.filter((s: any) => !!s);
      }
    });
  });
}

[kamilmysliwiec]

Would you like to create a PR for this issue?

[TBG-FR]

Having followed the officiel NestJS docs to secure my API, all my routes are protected by an API-Key, and some of them can avoid it, with a Public() decorator (as explained in the docs)

In order to get Swagger to use that API Key, and not wanting to manually add @ApiSecurity() on all my routes excepted the few that are public, I used the following :

const PublicAuthMiddleware = () => SetMetadata(IS_PUBLIC_KEY, true);
const PublicAuthSwagger = () => SetMetadata('swagger/apiSecurity', ['']);
export const Public = () => applyDecorators(
  PublicAuthMiddleware,
  PublicAuthSwagger,
) 

in addition to

  const swaggerConfig = new DocumentBuilder()
  [...]
  .addSecurity('ApiKeyAuth', {type: 'apiKey', name: 'Authorization', in: 'header', description: "A valid issued API Key"})
  .addSecurityRequirements('ApiKeyAuth')

However, I don't understand where I need to put the ApiFixEmptySecurity ?
(@zzdhidden can you explain ? Your code piece was already really useful, thanks for that !)

@kamilmysliwiec I understand your answer in #1319 but I think one more decorator would be useful : sometimes you'll want to have @ApiSecurity() (or ApiBearerAuth() or anything) enabled only on some of your routes, and sometimes you'll want to enable Auth globally and disable it on some of your routes, that's only one decorator, for a "big" benefit, no ?

[rajp33]

For anyone that still needs a workaround, I modified the above code to get it working:

const PublicAuthMiddleware = SetMetadata(IS_PUBLIC_KEY, true);
const PublicAuthSwagger = SetMetadata('swagger/apiSecurity', ['public']);

export const Public = () => applyDecorators(
  PublicAuthMiddleware,
  PublicAuthSwagger,
)

And then where my server is initialized:

const document = SwaggerModule.createDocument(app, config);

Object.values((document as OpenAPIObject).paths).forEach((path: any) => {
    Object.values(path).forEach((method: any) => {
    if (Array.isArray(method.security) && method.security.includes('public')) {
        method.security = [];
    }
    });
});
...