Support for security scheme/auth

[czechboy0]

https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#security-scheme-object

Let's do a proposal first, as there are a few ways this could be implemented.

For now, the workaround is to write your own middleware that injects the appropriate headers to every outgoing request.

Example: https://github.com/apple/swift-openapi-generator/tree/main/Examples/auth-client-middleware-example

[Jonovono]

@czechboy0 I'm able to get the client middleware to inject headers to the request, but whats the best way to extract that on the server?

What I have tried so far is having a server middleware that verifies the token:

    func intercept(
        _ request: Request,
        metadata: ServerRequestMetadata,
        operationID: String,
        next: (Request, ServerRequestMetadata) async throws -> Response
    ) async throws -> Response {
        if protectedOperations.contains(operationID) {
            if let authToken = request.headerFields.first(where: { $0.name == "Authorization" })?.value
            {

                if validateJWTToken(authToken) {
                    var newHeaderFields = request.headerFields
                    newHeaderFields.append(HeaderField(name: "uid", value: "the-user-id"))

                    let newRequest = Request(
                        path: request.path,
                        query: request.query,
                        method: request.method,
                        headerFields: newHeaderFields,
                        body: request.body
                    )
                    let response = try await next(newRequest, metadata)
                    return response

All that works great, but from the auth jwt token I extract a uid, i'd like to pass that along to the subsequent handlers. How could I achieve this?

In the code above, I tried adding it to the headers, but then in my handler I don't seem to see it:

    func authorizeUser(_ input: Operations.authorizeUser.Input) async throws -> Operations.authorizeUser.Output {
        print("INPUT", input.headers)
        return .ok(.init())
    }

Any ideas? I might be doing it completely wrong

[czechboy0]

@Jonovono you could add the value to a TaskLocal value on the server, which allows you to access it from the handler. Or inject a token storage object both into the middleware and the object implementing APIProtocol on the server.

[Jonovono]

Thanks @czechboy0 , I have went the TaskLocal route and seems to be working good!

[mapedd]

Right now, for default handlers generated by OpenAPI for Vapor. there's no way to access request object to authorize it. Is there any solution that being worked on?

[czechboy0]

Yes, there are two solutions to this, one you can use now, and one tracked by this issue that aims to generate some type-safe representation of the authorization rules from the OpenAPI document.

The first solution is to create a Vapor AsyncMiddleware type and save whatever information you'd like to pass along into a task local value. Then in the handler (your type conforming to APIProtocol, you extract the task local value and use it).

Something like this should work:

import OpenAPIVapor
import Vapor
​
enum MyTaskLocal {
    @TaskLocal
    static var vaporValue: String? // Or whatever value you're extracting.
}
​
struct TaskLocalVaporMiddleware: AsyncMiddleware {
    func respond(
        to request: Vapor.Request,
        chainingTo next: Vapor.AsyncResponder
    ) async throws -> Vapor.Response {
        try await MyTaskLocal.$vaporValue.withValue(request.<EXTRACT_VALUE_HERE>) {
            try await next.respond(to: request)
        }
    }
}
​
struct Handler: APIProtocol {
    func test(_ input: Operations.test.Input) async throws -> Operations.test.Output {
        print("Task local from Vapor middleware: \(MyTaskLocal.vaporValue ?? "<nil>")")
        return .noContent(.init())
    }
}
​
@main
struct Tool {
    static func main() async throws {
        let app = Application()
        app.middleware.use(TaskLocalVaporMiddleware())
        let transport = VaporTransport(routesBuilder: app)
        let handler = Handler()
        try handler.registerHandlers(on: transport)
        try app.run()
    }
}

One caveat, the last time I tested this, the middleware had to be the last one in the chain (otherwise it doesn't work), so add it right before you start the server. This allows you to pass values from the concrete Vapor.Request type all the way to your type-safe handlers.

[mapedd]

This looks great, thanks!