Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] PHPSlim4 - Want only 1 authentication method out of multiple

See original GitHub issue

Bug Report Checklist

  • Have you provided a full/minimal spec to reproduce the issue?
  • Have you validated the input using an OpenAPI validator (example)?
  • What’s the version of OpenAPI Generator used? 4.2.1
  • Have you search for related issues/PRs?
  • What’s the actual output vs expected output? Actual: adds all security schemes in middlewares that all get executed. Expected: only one security scheme should match.
Description

The generator does not take into account the fact that multiple security schemes are defined as ‘OR’. In other words, the generated PHP Slim code will always try to perform all authentication methods simultaneously.

They are added in the middewares like this:

$this->addRoute(..
                $middlewares
            )->setName($operation['operationId']);
openapi-generator version

4.2.1

OpenAPI declaration file content or url
        get:
            ...
            security:
                -
                    AdminToken: []
                -
                    UserJWT: []
                -
                    ExternalToken: []
Steps to reproduce

Create an OpenApi operation with multiple possible security schemes.

Related issues/PRs

Looks similar to https://github.com/OpenAPITools/openapi-generator/issues/3844 for Python. Also https://github.com/OpenAPITools/openapi-generator/issues/797 seems relavant.

Issue Analytics

  • State:open
  • Created 4 years ago
  • Comments:9 (9 by maintainers)

github_iconTop GitHub Comments

1reaction
wing328commented, Feb 24, 2020

I think the example provided by @richardwhiuk is correct to explain AND, OR in security definitions for endpoints.

Your example (even more complex) is also correct.

1reaction
richardwhiukcommented, Feb 22, 2020

Should be confirmed, but my understanding of the spec is:

openapi: 3.0.1
paths:
  /security-requirement-all:
    post:
      security:
      - api_key: []
        oauth: ["scope"]
  /security-requirement-one-of:
    post:
      security:
      - api_key: []
      - oauth: ["scope"]
components:
  securitySchemes:
    api_key:
      type: apiKey
      name: X-Api-Key
      in: header
    oauth:
      type: oauth2
      flow:
        implicit:
          authorizationUrl: https://example.com/api/oauth/dialog
          scopes:
            scope: sample scope

The first specifies a Security Requirement object with two requirements.

The second gives two options for the Security Requirement object, one of which must be satisfied.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Slim 4 Authentication (Lesson 14 ~ Register, Login & Logout)
On top of that we're going to add a global Auth class of static methods allowing us determine if the current user is...
Read more >
Slim 4 - Tutorial | Daniel Opitz - Blog
This tutorial shows you how to work with the powerful and lightweight Slim 4 framework.
Read more >
Remove specific routes from middleware in SLIM
Use a Route middleware instead of Application middleware. A route middleware will be only called if the Route matches the current HTTP ...
Read more >
Creating REST Service with PHP from a Java programmer's ...
First you install Apache Server, and then PHP extension on it. That, as I said was quite an effort. However, he did it...
Read more >
User authentication using Angularjs, PHP, Mysql - Angularcode
The only file you need to change is the “config.php” [ This file contains the database login information. Put your database credentials here...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[BUG][JAVA] Client generator ignores 'nullable' property

Next page

[REQ][Java] support anyOf Enum