Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Operation overrides global security with empty array

See original GitHub issue

Hello !

I noticed that when an operation overrides the global security with an empty array, thus specifying that no security should be applied on this operation, it still somehow tries to validate the access to the route (and throws an error).

More specifically, and according to https://swagger.io/docs/specification/authentication/, if an operation has (e.g.)

...
security:
  - ApiKeyAuth: []
  - OAuth2:
      - read
      - write
paths:
  /ping:
    get:
      security: []   # No security

The route should be accessible publicly.

Currently, from what I see, it throws the default error. From what I checked, I think the check here should additionally check if the schemes array is empty or not. Doing so will bypass the security when the array is empty.

if (!schemes ||  schemes.length === 0) {

What do you think ? I’m open to do a MR for this

This could be seen as a breaking change, as if some people using the lib have “badly” configured security rules in their Open API specs and were happy with this default handler, it will suddenly change “badly configured” protected routes to unprotected routes

Issue Analytics

State:
Created a year ago
Comments:5 (5 by maintainers)

Top GitHub Comments

2reactions

mhamanncommented, Jul 3, 2022

For anyone using v2 of this lib, you can do something like this as a workaround:

security:
  - none: []
 
paths:
  /ping:
    get:
      security:
        - none

and then provide a security handler that’s basically a no-op:

const securityHandlers = {
  none: async function () {
    // No-op
  }
}

1reaction

seriousmecommented, Jun 27, 2022

btw:

if (!(schemes?.length > 0)) {

would work as well 😉

Kind regards, Hans

Top Results From Across the Web

'Security' field of the operation contains an empty array

The security field of the operation does not list any security schemes to be applied. Instead, it just contains an empty array.

No way to remove a top-level security declaration with an ...

In OpenApiOperation.cs , the documentation for Security states that "To remove a top-level security declaration, an empty array can be used.".

Swagger: disabling security on one particular path

Sure. Simply add the "security" property to operation with an empty array [] as a value. So something like

Ensure that security operations is not empty - Documentation

The security section of the operation path applies an authentication method to that operation. Leaving it blank implies an exposed API without authentication....

OpenAPI - KICS

OpenAPI Queries List ; Global Security Field Has An Empty Array · High, Access Control ; Security Field On Operations Has An Empty...