initial work on security schema (only jwt bearer)

[muhammadn]

No description provided.

[ota42y]

Thanks for adding the feature!
Certainly supporting only JWT to begin with is a very good start.

[muhammadn]

@ota42y You can clone my branch. It is almost complete but problem with the MyBearerToken which can be any name in comment above.

Update: This is done! 🎉

[muhammadn]

@ota42y Mostly done. I will figure out how to get the headers to check for a JWT token, or if it is a valid token.

I've done some others, i'm very appreciative of your time you took to answer me, 🙇‍♂️, so i contributed some PRs for other stuff that is missing (servers is done, info is not that important but it's simple so i decided to do it)

[muhammadn]

I've finished it including tests.

[ota42y]

Thank you!!! I think it is a very good code.
Some of the validation was not up to OpenAPI Specification, so that needs to be fixed, but I think we're almost there!

[ota42y]

Please define new error class.
https://github.com/ota42y/openapi_parser/blob/master/lib/openapi_parser/errors.rb

[ota42y]

The OpenAPI Specification define that it is OK if either one of OpenAPI Object or Operation Object's security requirement is satisfied, so need to check both security fields.
https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#securityRequirementObject

When a list of Security Requirement Objects is defined on the OpenAPI Object or Operation Object, only one of the Security Requirement Objects in the list needs to be satisfied to authorize the request.

Now RequestOperation Object doesn't have OpenAPI's security field so we need pass it too.

[ota42y]

I think it is good to create validator which require Security Scheme Object and Security Requriement Object and validate seurity schemes specified by requirement objects for validating OpenAPI Object and Operation Object.

[muhammadn]

@ota42y I don't understand this part:

I think it is good to create validator which require Security Scheme Object and Security Requriement Object

[ota42y]

If you are adding the validation method to the Security Requriement Object, that's fine. I was thinking of using Security Scheme Object for validation and thought that would be a problem. Ignore it.

[ota42y]

We must checks for a Security Scheme Object with a corresponding name if there is a SecurityRequriment Object so we don't need check all securitySchemes.

def validate_security_schemes(securitySchemes, headers)
  validate_results = security.map do |s| # s is security requirement object
    # check all security
    s.validate_security_schemes(securitySchemes, headers)
  end
  if validate_results.count(true) == 1
    return true # accept 
  end
  return ValidateSecurityError()
end

I have determined that the validate passes if only one security scheme is valid, and if two or more are valid, the validate does not pass.
( We need check validate_results.count(true) == 1, not validate_results.count(true) >= 1 )
Is this OK? My English is not very good, so I doubt if I am reading it correctly.

Only one of the security requirement objects need to be satisfied to authorize a request. 

[muhammadn]

@ota42y
your english is ok...! I have to understand, security requirement object does not have schema information about type, scheme and bearerFormat is only in SecuritySchema object.

So this code below cannot be used in security.rb which is security requirements object (the latest code that i just pushed)

   # this code cannot be used in security.rb (security requirement object)
    def validate_security_schemes(securityScheme, headers)
      if self.type == "http" && self.scheme == "bearer" && self.bearer_format == "JWT"
      end
    end

[muhammadn]

@ota42y Hi. any updates? I'm thinking of doing my own fork because i cannot find the solution with:

def validate_security_schemes(securitySchemes, headers)
  validate_results = security.map do |s| # s is security requirement object
    # check all security
    s.validate_security_schemes(securitySchemes, headers) <-- this needs to be object, cannot use "self" with `securitySchemes
  end
  if validate_results.count(true) == 1
    return true # accept 
  end
  return ValidateSecurityError()
end

[ota42y]

security requirement object does not have schema information about type, scheme and bearerFormat is only in SecuritySchema object.

You are right. I confused security scheme object and secuirty requirement object 🙇

[ota42y]

Now users are using code under the assumption that this validation will not take place, and it may suddenly break at update time.
Therefore, it would be better to control this optionally or make it a separate method and have it called separately.

[ota42y]

How much detail to verify here is a difficult question.
When verifying a signed JWT, the user expects the signature to be correct.
But we must passed key and various options to the library.
The options are numerous and require the same amount of effort as creating a wrapper for the jwt library.
Also, the OpenAPI definition does not expect JWT to have detailed information about signature verification.

One solution would be to have the user pass in a callback what validation is to be performed, and this library would only call the callback.
This would allow users to, for example, check for certain values in the JWT or force disabling of the JWT for some users only.

In this case, instead of limiting the bearerFormat=JWT, I think it would be possible to pass a Security Scheme Object to the callback so that users can validate non-JWT formats as well, thus allowing for a wider range of applications.

[ota42y]

Late reply, but I got back to you, thanks for pointing it out right!