0

Is there a way to hide authorization header from OpenAPI 3.1.0 UI, so that I would not need to set a dummy unused value every time?

Image exmaple

For the following schema (copy to playground):

openapi: 3.1.0
info:
  title: Test
  version: 1.0.0
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
  schemas: {}
paths:
  /user:
    post:
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                name:
                  type: string
        required: true
      parameters:
        - schema:
            type: string
          in: header
          name: authorization
          required: true
      security:
        - bearerAuth: []
      responses:
        "200":
          description: Default Response

Fastify configuration:

import { fastify } from "fastify";
import fs from "@fastify/swagger";
import fsu from "@fastify/swagger-ui";

const app = fastify();

await app.register(fs, {
  openapi: {
    openapi: "3.1.0",
    components: {
      securitySchemes: {
        bearerAuth: {
          type: "http",
          scheme: "bearer",
        },
      },
    },
    security: [{ bearerAuth: [] }],
  },
});

await app.register(fsu);

app.get(
  "/",
  {
    schema: {
      headers: {
        type: "object",
        properties: { authorization: { type: "string" } },
        required: ["authorization"],
      },
    },
  },
  async (request, reply) => {
    return { hello: "world" };
  }
);

app
  .listen({ port: 3001 })
  .then(() => {
    console.log("listening");
  })
  .catch((err) => console.log(err));

Fill the text................................................................................................

Nick Berilov
  • 1
  • 1
  • Please post your @fastify/swagger configs related to authorization/security. Most likely, the issue is that the `POST /users` operation has an explicit "authorization" header defined somewhere, in addition to using a security scheme. – Helen Jun 27 '23 at 15:16
  • @Helen yes it does, but if I remove it authorization headers will not be enforced for routes and even in OpenAPI UI I would be able to skip authorization. – Nick Berilov Jun 27 '23 at 15:27
  • In OpenAPI 3.x, the `Authorization` header must be defined only as a security scheme, it's not supposed to be defined as a header parameter. What do you mean by "if I remove it authorization headers will not be enforced for routes"? Enforced how? – Helen Jun 27 '23 at 15:34
  • @Helen If headers schema is set for route I would not be able to make request without authorization header (it will throw schema error about missing `request.headers.authorization` that is required). If I remove it, I can make unauthorized requests (without any headers) – Nick Berilov Jun 27 '23 at 15:39
  • @Helen Added fastify config. I can just add a hook to check if authorization headers are present and remove it from schema, but it feels like a strange workaround to me. Is it the only way? – Nick Berilov Jun 27 '23 at 15:41
  • I'm not familiar with Fastlify. Does it maybe need some extra configs/code to handle auth, in addition to using OpenAPI annotations? Something like [this](https://github.com/fastify/fastify-bearer-auth#integration-with-fastifyauth) or [this](https://alexpearce.me/2022/06/fastapi-openapi-bearer-token/)? – Helen Jun 27 '23 at 15:47
  • @Helen I think I got it, basically I should not require authorization header in OpenAPI/route schema, but use hooks and check them manually. Please post your answer so I would be able to accept it – Nick Berilov Jun 27 '23 at 15:59

0 Answers0