In OpenAPI 3, is it possible to define a SecurityScheme at global level but then override it at certain endpoints to not use security (for public accessible endpoints)?
For example (taken from https://swagger.io/docs/specification/authentication/bearer-authentication/)
openapi: 3.0.0
...
# 1) Define the security scheme type (HTTP bearer)
components:
securitySchemes:
bearerAuth: # arbitrary name for the security scheme
type: http
scheme: bearer
bearerFormat: JWT # optional, arbitrary value for documentation purposes
# 2) Apply the security globally to all operations
security:
- bearerAuth: [] # use the same name as above
And then make a given endpoint publicly accessible (unprotected)
paths:
/unprotected/path:
get:
security: []
Or should this be done in another way?
Update this question was marked as duplicate but the other question handles about Swagger 2.x and since syntax is different, I think this question and answers should remain.
You can indeed override security on a path bases in OA3 as follows:
paths:
/unprotected/path:
get:
security: []
Related
I'm learning how to use swagger/openapi, and starting to use swagger-routes-express package to simplify the association of routes to OpenAPI definition. One of the things I'm confused about is the servers config. For example, here's an excerpt from the swagger-routes-express example for OpenAPI Version 3 example:
paths:
/ping:
get:
tags:
- root
summary: Get Server Information
description: Returns information about the server
operationId: ping
responses:
'200':
description: success
content:
application/json:
schema:
$ref: '#/components/schemas/ServerInfo'
servers:
- url: /api/v1
Here we've got a get path of /ping. It seems like this gets added onto the end of the server's url:
/api/v1/ping
I understand that multiple servers can be listed under the servers section, and you might want to do that for development, testing, and production. Based on my testing, it seems like the route path that's created is based on the first server entry. Is that correct? How will this work when multiple servers are defined?
NestJS URI Versioning for HTTP REST applications can be easily enabled when following the docs here.
The docs do however not explain how to make URI versioning optional.
Example:
/api/v1/users
/api/v2/users
/api/users -> should be mapped to v1 to allow existing webhooks to keep working
Question:
How can we make the URI versioning optional in a NestJS REST application so that old versions (without any api version) keep working ?
You should use the VERSION_NEUTRAL version on defaultVersion option like:
app.enableVersioning({
type: VersioningType.URI,
defaultVersion: [VERSION_NEUTRAL, '1', '2'],
});
https://docs.nestjs.com/techniques/versioning
UPDATE:
The following is a hack and results in the global prefix for URI versioning no longer working, please use the accepted answer.
Original Answer:
To make versioning optional, set the versioning prefix to an empty string (default is v) and set the versioning string including the prefix explicitly.
In main.ts:
app.enableVersioning({
type: VersioningType.URI,
defaultVersion: ['', 'v1', 'v2'],
prefix: '',
});
In the v1 controller:
#Controller({ path: 'users', version: ['v1', ''] })
Is it possible to have lambda function with different custom domain than others; In servlerless lambda project, I need to have one lambda to use different custom domain than other lambdas. for example
userNotification --> dev.xyz.com/users
all others
getProducts --> dev.abc.com/products
I tried using custom domain as following but it did not work.
userNotification:
handler: src/index.handler
events:
- http:
method: get
path: /userNotification
cors:
origin: '*'
headers:
- Content-Type
- X-Amz-Date
- Authorization
- X-Api-Key
- X-Amz-Security-Token
- If-Match
- If-None-Match
# override default customDomain
customDomain:
domainName: 'dev.xyz-comm-sanbox.com'
basePath: dev-newbank
stage: dev
createRoute53Record: true
In serverless.yml, I'm using custom domains as, this work fine but then i have single customDomains for all lambdas funcrion. I need to have one lambda to use different customDomain than others;
custom:
customDomain:
basePath: dev-newbank
domainName: 'dev.abc.com'
stage: 'dev'
createRoute53Record: true
endpointType: regional
securityPolicy: tls_1_2
I think you would have to have 2 different serverless.ymls, 1 for managing your /products path and one for /users. Then you could specify different domains for each. Since underneath it all API Gateway only supports custom domains on the API, not on individual endpoints in the API, you would have to split your lambdas up
I've created a new entity with ResourcesBundle but on the profiler I can't see the Events.
Must I create manualy?
Creating an EventListener for sylius.book.pre_create doesn't do nothing.
Adding Info
Hi anothertime lchrusciel.
This is my configuration for my resource:
dinamic_sylius_post:
resource: |
alias: dinamic.post
path: blog/post
type: sylius.resource
dinamic_sylius_admin_post:
resource: |
alias: dinamic.post
section: admin
templates: SyliusAdminBundle:Crud
except: ['show', 'delete']
redirect: index
grid: dinamic_sylius_blog_post
type: sylius.resource
prefix: admin/
And on my bundle config I have this:
sylius_resource:
resources:
dinamic.post:
classes:
model: Dinamic\Bundle\SyliusBlogBundle\Entity\Post
form:
default: Dinamic\Bundle\SyliusBlogBundle\Form\PostType
What I'm doing wrong then?
If it is your custom resource you should look for app.book.pre_create event.
As you can see here event name depends on application name which is sylius for predefined Sylius resources, but if you defined your own, it usually app.
If you have followed Sylius docs about using ResourceBundle with your own resources you have found following config:
sylius_resource:
resources:
app.book:
classes:
model: AppBundle\Entity\Book
So important part of this config is an alias of resource app.book. Dot split alias to application name(app) and resource name(book).
Same rules apply to crud generation config:
app_book:
resource: |
alias: app.book
type: sylius.resource_api
Using app as a application name is Sylius recommendation, but you can arbitrary choose any other.
Edit
In your example this is an important part:
sylius_resource:
resources:
dinamic.post:
classes:
According to it, dinamic is an application name, and post is a resource name. So the following events should be triggered:
dinamic.post.pre_create
dinamic.post.post_create
dinamic.post.pre_update
dinamic.post.post_update
dinamic.post.pre_delete
dinamic.post.post_delete
Is there any documentation on use of [Restrict] attribute with service stack?
Not finding any documentation, I started trying to figure this out. I discovered you have to enable restrictions in AppHost.cs Configure event with
var endpointHostConfig = new EndpointHostConfig
{
EnableAccessRestrictions = true,
};
Then I added attributes to my request DTO:
[Route("Hello/World", "GET")]
[Restrict(EndpointAttributes.InternalNetworkAccess)]
This does not work...looks like that removes all 'default' restrictions and replaces it with just that one restriction? Using this instead seems to work:
[Restrict(InternalOnly = true)]
When I do a GET from the local lan it works, but from remote it does not. Interesting, the 'detailed stack error' it gives from remote is:
The following restrictions were not met: '\n -[InternalNetworkAccess, Secure, HttpHead, HttpPost, HttpPut, HttpDelete,
HttpOther, OneWay, Soap11, Soap12, Xml, Jsv, ProtoBuf, Csv, Html, Yaml, MsgPack, FormatOther, AnyEndpoint]'
Note, it does not even list HttpGet as one of the possiblities - which does work. Also mentions Secure and not InSecure...neither of which I am specifically requiring.
Can we get some clarification on exactly how this is supposed to work? What if I wanted to require SSL - how would I specify that?
What if I wanted to require SSL in production, but not staging on all services for this endpoint? (Realizing this may be a completely different way to configure).
The [Restrict] attribute feature is in the latest version of ServiceStack. Currently the only documentation for this exists in the Security wiki page.
Here are some EndpointAttributes restrictions tests that test the validation of the restriction attributes, and some different service configurations you can use.
The way it works is that it's restricted to anything that's specified, so if you want to enable SSL and leave everything else as unrestricted, you would only add:
[Restrict(EndpointAttributes.Secure)]
public class SslOnly { }
It also supports specifying multiple combinations of environments that are allowed, e.g. You can enforce HTTP internally, but HTTPS externally with:
[Restrict(EndpointAttributes.Secure | EndpointAttributes.External,
EndpointAttributes.InSecure | EndpointAttributes.InternalNetworkAccess)]
public class SslExternalAndInsecureInternal { }
Note: each environment is combined with Enum flags and delimited with a ,.
But it doesn't let you distinguish between debug and release builds, to enable this you would need to use C# conditional compilation symbols.
E.g only allow HTTP for Debug builds and HTTPS for production Release builds:
#if DEBUG
[Restrict(EndpointAttributes.InSecure)]
#else
[Restrict(EndpointAttributes.Secure)]
#endif
public class MyRequestDto { ... }