Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Can't get security handler to return a 401 without a "challenge" attributes

See original GitHub issue

Context: Looking to return 401s when a token is missing from a header. Front end redirects to login if this is the case

Issue: The docs indicate that you can use cb(null, false) from all securityHandlers to return a 401. I only have one but I’m getting a 500 with:

No security handlers returned an acceptable response: token

Notes: Looking at the code, it seems that without lastError.status defined there’s no way to return a 401

Also, when running cb(null, false) it seems the lastError becomes the first argument. So with null it would jump if (lastError) and it the default cb block

I’d be down to put in a PR, but I’m curious about you’d like the code to behave

Love your library! 💕

Issue Analytics

State:
Created 5 years ago
Comments:13 (11 by maintainers)

Top GitHub Comments

2reactions

notxtcommented, Sep 21, 2018

so, if I understand correctly, the general business logic is:

if any handler succeeds: authenticate
if no handler succeeds: return 401
if any handler throws an error: next(err)

I like that because if you want a specific response you can throw and then write a custom error handler

then the decision when implementing a handler would be:

do I want to authenticate: return true
do I want to let another handler authenticate: return false
do I want to not allow handlers to authenticate: throw new Error()

1reaction

raplemiecommented, Oct 23, 2018

So the information presented here: https://github.com/kogosoftwarellc/open-api/tree/master/packages/openapi-security-handler is mainly for internal use by the library ? If we use express-openapi, the only difference is that we must define handlers with the return true/false/“throw” behavior instead of the callbacks?

I think that is what drove me on the wrong track, I thought that now I was supposed to instantiate a const handler = new OpenAPISecurityHandler({...}); and use that somewhere, but I couldn’t figure out where.

Thanks for that quick reply! Raphael