Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support empty security

See original GitHub issue

I’m submitting a…


[ ] Regression 
[ ] Bug report
[x] Feature request
[ ] Documentation issue or request
[ ] Support request => Please do not submit support request here, instead post your question on Stack Overflow.

Current behavior

When I add global security. I can’t exclude one api from the @ApiSecurity().

const docBuilder = new DocumentBuilder().addSecurityRequirements('bearer')

Expected behavior

We can define global security follow the document openapi authentication and exclude from the path by set security: [] # No security.

Now we can use SetMetadata('swagger/apiSecurity', []) to hack this feature when define ClassDecorator. But the this data has been omit when define the MethodDecorator.

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:6 (2 by maintainers)

Top GitHub Comments

2reactions

rajp33commented, Mar 16, 2022

For anyone that still needs a workaround, I modified the above code to get it working:

const PublicAuthMiddleware = SetMetadata(IS_PUBLIC_KEY, true);
const PublicAuthSwagger = SetMetadata('swagger/apiSecurity', ['public']);

export const Public = () => applyDecorators(
  PublicAuthMiddleware,
  PublicAuthSwagger,
)

And then where my server is initialized:

const document = SwaggerModule.createDocument(app, config);

Object.values((document as OpenAPIObject).paths).forEach((path: any) => {
    Object.values(path).forEach((method: any) => {
    if (Array.isArray(method.security) && method.security.includes('public')) {
        method.security = [];
    }
    });
});
...

1reaction

TBG-FRcommented, Nov 2, 2021

Having followed the officiel NestJS docs to secure my API, all my routes are protected by an API-Key, and some of them can avoid it, with a Public() decorator (as explained in the docs)

In order to get Swagger to use that API Key, and not wanting to manually add @ApiSecurity() on all my routes excepted the few that are public, I used the following :

const PublicAuthMiddleware = () => SetMetadata(IS_PUBLIC_KEY, true);
const PublicAuthSwagger = () => SetMetadata('swagger/apiSecurity', ['']);
export const Public = () => applyDecorators(
  PublicAuthMiddleware,
  PublicAuthSwagger,
)

in addition to

  const swaggerConfig = new DocumentBuilder()
  [...]
  .addSecurity('ApiKeyAuth', {type: 'apiKey', name: 'Authorization', in: 'header', description: "A valid issued API Key"})
  .addSecurityRequirements('ApiKeyAuth')

However, I don’t understand where I need to put the ApiFixEmptySecurity ? (@zzdhidden can you explain ? Your code piece was already really useful, thanks for that !)

@kamilmysliwiec I understand your answer in #1319 but I think one more decorator would be useful : sometimes you’ll want to have @ApiSecurity() (or ApiBearerAuth() or anything) enabled only on some of your routes, and sometimes you’ll want to enable Auth globally and disable it on some of your routes, that’s only one decorator, for a “big” benefit, no ?