web api contract securityHandlers

[Kurt Sys]

Hi,

Using the web api contract of vertx with securityhandlers seems not to execute the handlers:

In my project, have a yaml file which contains:

security:
 - bearerJWT: []
...
components:
 securitySchemes:
   bearerJWT:
     type: http
     scheme: bearer
     bearerFormat: JWT

Loading the securityhandler in my code:

routerFactory.setOptions(new RouterFactoryOptions().setRequireSecurityHandlers(true));
HANDLERS.forEach((operationId, handler) -> {
 routerFactory.addHandlerByOperationId(operationId, handler.handler);
 routerFactory.addFailureHandlerByOperationId(operationId, handler.failureHandler);
});
routerFactory.addSecurityHandler("bearerJWT", this::securityHandler);

var router = routerFactory.getRouter();

completionHandler.accept(router);

The `HANDLERS` describe how to handle requests and failures - there's no issue with that `foreach`. The endpoints work fine, but there are 2 issues when I try to add security:
1. Every string seems to be valid (even when I replace `this::securityHandler` with `JWTAuthHandler.create(jwtAuth));`), so I can login with any string as Bearer in the Authorization header.
2. I can execute every enpoint, no matter if I'm logged in or logged out.

What am I missing?

Thx.

[Francesco Guardiani]

Seems like the auth handler is not mounted. The "security" requirements object is on the root of the openapi document? or it's only in some specific operations? Can you try to debug with any debugger the router created by routerFactory to check if the security handlers are mounted?

[Kurt Sys]

The security requirements are globally (for now), not on specific operations.

When getting the router, I can't find any securityHandler. I can find a lot of other ones (BodyHandlerImpl, OpenAPI3RequestValidationHandlerImpl, ResponseContentTypeHandlerImpl).

So... why (are they not mounted)? I'm adding them, afaik.

Op donderdag 4 juli 2019 12:43:42 UTC+2 schreef Francesco Guardiani:

[Kurt Sys]

This is the router state:

INFO: ROUTER: io.vertx.ext.web.impl.RouterImpl@2ffee0bc[vertx=io.vertx.core.impl.VertxImpl@f44132b,routes=[Route[ path:null pattern:null handlers:[io.vertx.ext.web.handler.impl.BodyHandlerImpl@12943450] failureHandlers:[] order:0 methods:[]]@1952175672, Route[ path:/api/datasets pattern:null handlers:[io.vertx.ext.web.handler.impl.ResponseContentTypeHandlerImpl@1a8c8075, io.vertx.ext.web.api.contract.openapi3.impl.OpenAPI3RequestValidationHandlerImpl@568a1f77, <my.package.webapi>.RouterConfig$$Lambda$173/0x000000080132f840@6022c754] failureHandlers:[<my.package.webapi>.RouterConfig$OperationHandlers$$Lambda$174/0x000000080132fc40@53a749b4] order:1
...,
orderSequence=16,errorHandlers={501=io.vertx.ext.web.api.contract.impl.BaseRouterFactory$$Lambda$168/0x0000000801329440@7a4b061d}]

Op donderdag 4 juli 2019 12:43:42 UTC+2 schreef Francesco Guardiani:

Seems like the auth handler is not mounted. The "security" requirements object is on the root of the openapi document? or it's only in some specific operations? Can you try to debug with any debugger the router created by routerFactory to check if the security handlers are mounted?

[Francesco Guardiani]

Can you open an issue on vertx-web repo and provide a reproducer?

[Kurt Sys]

Yes, I could, but I found the issue... apparently, my failureHandlers had some issues. It's solved now... Thanks a lot!

Op donderdag 4 juli 2019 15:43:23 UTC+2 schreef Francesco Guardiani: