Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[BUG] - Errors ignored during multiple security checking
See original GitHub issueThis lines bellow are invalid : packages/cli/src/routeGeneration/templates/express.hbs#L128 packages/cli/src/routeGeneration/templates/express.hbs#L136 packages/cli/src/routeGeneration/templates/hapi.hbs#L109 packages/cli/src/routeGeneration/templates/koa.hbs#L97
Sorting
-
I’m submitting a …
- bug report
- feature request
- support request
-
I confirm that I
- used the search to make sure that a similar issue hasn’t already been submit
Steps to Reproduce
@Security('publicAccess')
@Security('accessToken') // This one should be invalid and throw an error but nothing happened
@Get('verifyToken')
public async verifyToken(): Promise<void> {
// ...
}
Detailed Description
Because currently in my code I’m using multi @Security and the thing is if one of those failed, only the last one will be reported !
Plus, expressAuthentication(request, name, secMethod[name]) is executed before to be pushed on the promise stack. It mean in the case of expressAuthentication failed in synchro way then the app will literally crash.
Expected Behavior
[info] GET /api/v1/verifyToken?accessToken=&publicToken=test 400 // ERROR INVALID ACCESS TOKEN
Current Behavior
[info] GET /api/v1/verifyToken?accessToken=&publicToken=test 200
Possible Solution
To replace in /packages/cli/src/routeGeneration/templates/express.hbs#128 file
function authenticateMiddleware(security: TsoaRoute.Security[] = []) {
return (request: any, _response: any, next: any) =>
new Promise((resolve, reject) => {
const promises: Promise<any>[] = [];
for (const secMethod of security) {
for (const name in secMethod) {
promises.push(expressAuthentication(request, name, secMethod[name]));
}
}
Promise.all(promises)
.then(resolve)
.catch(reject);
}).then((results: any) => {
request['user'] = results.shift();
next();
}).catch((error) => {
error.status = error.status || 401;
next(error)
});
};
More
I saw on tests that the logic is :
- if security one is not ok then we choose security two
- or if security two is not ok then we choose security one
But I think we should choose this kind of logic :
- Ok I set a security on my route then it must be verify
- EXCEPT is the second parameter is OPTIONAL Ex:
@Security('publicAccess') // SHOULD BE VERIFY EVEN IF BELLOW THERE ANOTHER SECURITY
@Security('accessToken', ['optional']) // THIS ONE IS OPTIONAL SO IF THE VERIFICATION FAILED THAT IS NOT A PROBLEM
Issue Analytics
- State:
- Created 3 years ago
- Comments:8
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@dobobaie try to use
@Security({'publicAccess': [], 'accessToken': []})This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days