Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom ApiKeyAuth is not being honoured #136

Closed
michaelwiles opened this issue Jul 29, 2020 · 2 comments
Closed

Custom ApiKeyAuth is not being honoured #136

michaelwiles opened this issue Jul 29, 2020 · 2 comments

Comments

@michaelwiles
Copy link

So I set the securitySchemes as specified in the docs:

SPECTACULAR_SETTINGS = {
    "APPEND_COMPONENTS": {
        "securitySchemes": {"ApiKeyAuth": {"type": "apiKey", "in": "header", "name": "Authorization"}}
    },
    "SECURITY": [{"ApiKeyAuth": [],}],
}

That correctly brings up the option in the authorize:

image

Then I include my token in that field:

Token XXXXXXXXXXXXXXXXX

But then when I attempt to execute on an end point the Authorization header is not included...

image

Am I doing something wrong? The header is included if I use the default tokenAuth (http, Bearer) But it prefixes what I enter with Bearer which my auth mechanism doesn't support.
@tfranzel
Copy link
Owner

hi @michaelwiles. ok so there are multiple things at work here. in principle, you did everything right. The problem here is that your operation likely has a security section which overrides the global security section (where your "ApiKeyAuth": [] is put)

this feature was always meant as a measure of last resort because of those non-obvious reasons. we need to clarify that in the documentation. i kind of regret adding it at all.

the better approach would be a simple extension. If your auth method has a authentication_classes you can do that really easily. Take the default ones as reference: https://github.com/tfranzel/drf-spectacular/blob/master/drf_spectacular/authentication.py#L29 just adapt target_class name and return and it should work. (info on how to load them: https://drf-spectacular.readthedocs.io/en/latest/customization.html#step-4-extensions)

sidenote: i found a bug for DRF's TokenAuthentication, where bearerFormat is set to Token (as opposed to Bearer), but that is apparently just a non-functional hint. so if you are using that, we will quickly fix that. btw are you using a custom auth or some library. maybe we should add support for it.

@tfranzel
Copy link
Owner

@michaelwiles, sry that this fell off the wagon. ab979c1 addresses this issue, by appending SECURITY everywhere (if provided). this is the preferred way for djangorestframework-api-key. virtually all other cases should be handled with OpenApiAuthenticationExtension

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michaelwiles @tfranzel