support security validation for cookie auth

cdimascio · Apr 25, 2020 · b7d7afc · b7d7afc
1 parent 03ba8d6
commit b7d7afc
Show file tree

Hide file tree

Showing 4 changed files with 106 additions and 85 deletions.
diff --git a/src/middlewares/openapi.security.ts b/src/middlewares/openapi.security.ts
@@ -120,7 +120,7 @@ class SecuritySchemes {
       ? defaultSecurityHandler
       : null;
 
-    const promises = this.securities.map(async s => {
+    const promises = this.securities.map(async (s) => {
       try {
         if (Util.isEmptyObject(s)) {
           // anonumous security
@@ -242,8 +242,11 @@ class AuthValidator {
         if (!req.query[scheme.name]) {
           throw Error(`query parameter '${scheme.name}' required`);
         }
+      } else if (scheme.in === 'cookie') {
+        if (!req.cookies[scheme.name]) {
+          throw Error(`cookie '${scheme.name}' required`);
+        }
       }
-      // TODO scheme in cookie
 
       this.dissallowScopes();
     }

diff --git a/test/resources/security.yaml b/test/resources/security.yaml
@@ -1,4 +1,4 @@
-openapi: '3.0.2'
+openapi: "3.0.2"
 info:
   version: 1.0.0
   title: requestBodies $ref
@@ -8,20 +8,20 @@ servers:
   - url: /v1/
 
 paths:
-  /no_security: 
+  /no_security:
     get:
       responses:
-        '200':
+        "200":
           description: OK
 
   /api_key:
     get:
       security:
         - ApiKeyAuth: []
       responses:
-        '200':
+        "200":
           description: OK
-        '401':
+        "401":
           description: unauthorized
 
   /api_key_or_anonymous:
@@ -31,41 +31,51 @@ paths:
         - {}
         - ApiKeyAuth: []
       responses:
-        '200':
+        "200":
           description: OK
-        '401':
+        "401":
           description: unauthorized
 
   # This api key with scopes should fail validation and return 500
   # scopes are only allowed for oauth2 and openidconnect
   /api_key_with_scopes:
     get:
       security:
-        - ApiKeyAuth: ['read', 'write']
+        - ApiKeyAuth: ["read", "write"]
       responses:
-        '200':
+        "200":
           description: OK
-        '401':
+        "401":
           description: unauthorized
 
   /bearer:
     get:
       security:
         - BearerAuth: []
       responses:
-        '200':
+        "200":
           description: OK
-        '401':
+        "401":
           description: unauthorized
 
   /basic:
     get:
       security:
         - BasicAuth: []
       responses:
-        '200':
+        "200":
           description: OK
-        '401':
+        "401":
+          description: unauthorized
+
+  /cookie_auth:
+    get:
+      security:
+        - CookieAuth: []
+      responses:
+        "200":
+          description: OK
+        "401":
           description: unauthorized
 
   /oauth2:
@@ -75,9 +85,9 @@ paths:
             - scope1
             - scope2
       responses:
-        '200':
+        "200":
           description: OK
-        '401':
+        "401":
           description: unauthorized
 
   /openid:
@@ -87,9 +97,9 @@ paths:
             - scope1
             - scope2
       responses:
-        '200':
+        "200":
           description: OK
-        '401':
+        "401":
           description: unauthorized
 
 components:
@@ -104,6 +114,10 @@ components:
       type: apiKey
       in: header
       name: X-API-Key
+    CookieAuth:
+      type: apiKey
+      in: cookie
+      name: JSESSIONID # cookie name
     OpenID:
       type: openIdConnect
       openIdConnectUrl: https://example.com/.well-known/openid-configuration

diff --git a/test/security.defaults.spec.ts b/test/security.defaults.spec.ts
@@ -18,6 +18,7 @@ describe('security.defaults', () => {
       express
         .Router()
         .get(`/api_key`, (req, res) => res.json({ logged_in: true }))
+        .get(`/cookie_auth`, (req, res) => res.json({ logged_in: true }))
         .get(`/bearer`, (req, res) => res.json({ logged_in: true }))
         .get(`/basic`, (req, res) => res.json({ logged_in: true }))
         .get('/no_security', (req, res) => res.json({ logged_in: true })),
@@ -29,15 +30,14 @@ describe('security.defaults', () => {
   });
 
   it('should return 200 if no security', async () =>
-    request(app)
-      .get(`${basePath}/no_security`)
-      .expect(200));
+    request(app).get(`${basePath}/no_security`).expect(200));
 
   it('should skip validation, even if auth header is missing for basic auth', async () => {
     return request(app)
       .get(`${basePath}/basic`)
       .expect(401)
-      .then(r => {
+      .then((r) => {
+        console.log(r.body);
         expect(r.body)
           .to.have.property('message')
           .that.equals('Authorization header required');
@@ -47,10 +47,22 @@ describe('security.defaults', () => {
   it('should skip security validation, even if auth header is missing for bearer auth', async () => {
     return request(app)
       .get(`${basePath}/bearer`)
-      .expect(401).then(r => {
+      .expect(401)
+      .then((r) => {
         expect(r.body)
           .to.have.property('message')
           .that.equals('Authorization header required');
-      })
+      });
+  });
+
+  it('should return 401 if cookie auth property is missing', async () => {
+    return request(app)
+      .get(`${basePath}/cookie_auth`)
+      .expect(401)
+      .then((r) => {
+        expect(r.body)
+          .to.have.property('message')
+          .that.equals('cookie \'JSESSIONID\' required');
+      });
   });
 });