express-openapi-validator icon indicating copy to clipboard operation
express-openapi-validator copied to clipboard
verified publisher icon cdimascio

Security handlers cannot access request params

Open cionz0 opened this issue 2 years ago • 0 comments

Describe the bug The request.param is shown as an empty object if accessed from inside the security handler, while param values are correctly shown from inside the API code.

To Reproduce

  • Define a parametric route and secure the API (no matter the security type).
  • define a security handler
  • print the request.param object from inside the API and from inside the security handler

Actual behavior The API can see the param values, while the security handler sees only an empty object.

Expected behavior See the same object both from inside the API code and from inside the security handler.

Examples and context

Express app code

"use strict";
const express = require("express");
const bodyParser = require("body-parser");
const cors = require("cors");
const app = express();
const openapi_validator_middleware = require("../middleware/openapi_validator_middleware");
app.use(bodyParser.json());
app.use(cors());
app.use(express.text());
app.use(express.urlencoded({extended: false}));
app.use(openapi_validator_middleware.OpenApiValidatorMiddleware);
app.use(openapi_validator_middleware.error_handler);


module.exports = () => {
    /**
     * @openapi
     * /test/{value}:
     *     post:
     *       summary: Perform an Action
     *       description: Perform a specific action based on the provided value.
     *       security:
     *          - operatorOrUserToken: []
     *       parameters:
     *         - name: value
     *           in: path
     *           required: true
     *           description: The value to be used for the action.
     *           schema:
     *             type: string
     *       responses:
     *         '200':
     *           description: Action performed successfully
     *           content:
     *             application/json:
     *               schema:
     *                 type: object
     *                 properties:
     *                   code:
     *                     type: string
     *                     example: OK
     *                   status:
     *                     type: integer
     *                     example: 200
     *                   message:
     *                     type: string
     *                     example: action performed
     *                   data:
     *                     type: object
     *                     example: {}
     */
    app.post("/test/:value", async (request, response) => {
        console.log(request.params); // <<-- prints {value: "the_value"}
        try {
            response.status(200).send({
                code: "OK", status: 200, message: "action performed", data: request.params,
            });
        } catch (e) {
            openapi_validator_middleware.error_handler(e, request, response);
        }
    });
    return app;
};

Middleware code

"use strict";


const OpenApiValidator = require("express-openapi-validator");
const security_handlers = require("./security/security_handlers");

const OpenApiValidatorMiddleware = OpenApiValidator.middleware({
    apiSpec: require("../openapi/openapi").SPECIFICATIONS,
    validateRequests: true, 
    validateResponses: true, 
    validateApiSpec: true,
    validateSecurity: {
        handlers: {
            "operatorOrUserToken": async function(request, scopes, schema) {
                console.log("params", request.params); // <<-- prints {}
                return true;
            }
        },
    },

});


module.exports = {OpenApiValidatorMiddleware};

cionz0 avatar Oct 18 '23 13:10 cionz0