I prepared Swagger 2.0 definition for my API implemented on node.js/connect. I added security definitions:
securityDefinitions:
BasicAuth:
type: basic
OAuth2:
type: oauth2
flow: accessCode
authorizationUrl: http://localhost:9080/auth/realms/master/protocol/openid-connect/auth
tokenUrl: http://localhost:9080/auth/realms/master/protocol/openid-connect/token
scopes:
scope1: my scope 1
scope2: my scope 2
and the API:
/myAPI:
post:
[...]
security:
- BasicAuth: []
- OAuth2: [scope1]
Thus API is secured either by Basic HTTP Auth or by OAuth2 (actually bearer token), requiring scope 'scope1'. Now the implementation. I use swagger-tools to generate my API stub:
java -jar swagger-codegen-cli.jar generate -l nodejs-server -i my.yaml -o out
As far as I know generated swagger-tools code doesn't do anything about security, so I added custom code for that:
[...]
let secoptions = {
'BasicAuth': function( req, securityDefinition, scopes, callback) {
basicAuth( req, callback);
},
'OAuth2': function( req, securityDefinition, scopes, callback) {
oAuth2( req, scopes, callback);
}
}
app.use( middleware.swaggerSecurity( secoptions));
[...other swagger-tools generated init code...]
I use passport-http BasicStrategy for basicAuth processing. I use passport-http-bearer Strategy with openid-client for oAuth2 bearer token processing. And that works, however:
- I'm just wondering if I'm using correct tools/libraries here?
- Does swagger-tools really does nothing about security defined in Swagger file?
- There is completely no automatic scope processing/verifying - I have to manually check in oAuth2 function if the token provided (as bearer) contains scopes required by the API Swagger definition. Is that correct way to do that or maybe there some hidden option or something to automatically verify scopes?