libopenapi-validator
libopenapi-validator copied to clipboard
pb33f
Global security schemes are not used when validating requests
According to the documentation:
When used on the root level,
securityapplies the specified security schemes globally to all API operations, unless overridden on the operation level.
The global security scheme declaration must be applied when validating a request for all endpoints. Currently, if a security scheme is not specified directly at the operation level, validation against that security scheme will not performed.
Versions in my go.mod
github.com/pb33f/libopenapi v0.28.0
github.com/pb33f/libopenapi-validator v0.6.4
Example
package main
import (
"fmt"
"net/http"
"github.com/pb33f/libopenapi"
"github.com/pb33f/libopenapi-validator/parameters"
)
func main() {
spec := `openapi: 3.1.0
components:
securitySchemes:
basicAuth:
type: http
scheme: basic
security:
- basicAuth: []
paths:
/burgers/beef:
get:
description: Get beef burger
`
doc, _ := libopenapi.NewDocument([]byte(spec))
m, _ := doc.BuildV3Model()
v := parameters.NewParameterValidator(&m.Model)
request, _ := http.NewRequest(http.MethodGet, "https://things.com/burgers/beef", nil)
//request.Header.Set("Authorization", "Basic 123")
valid, errors := v.ValidateSecurity(request)
fmt.Println(valid) // valid == True, should be False
fmt.Println(errors) // errors == [], should be not empty
}
