fix: security handlers 'AND' functionality

Author: seriousme

.gitignore

@@ -84,3 +84,6 @@ $RECYCLE.BIN/
 
 # Windows shortcuts
 *.lnk
+
+# vscode config
+.vscode

examples/generated-javascript-project/package.json

@@ -20,9 +20,9 @@
   },
   "devDependencies": {
     "fastify": "^4.23.2",
-    "fastify-cli": "^5.8.0",
+    "fastify-cli": "^6.0.0",
     "tap": "",
-    "c8": "^8.0.1",
+    "c8": "^9.0.0",
     "@biomejs/biome": "^1.2.2",
     "husky": "^8.0.3"
   }

examples/generated-standaloneJS-project/index.js

@@ -137,7 +137,7 @@ async function generateRoutes(fastify, opts) {
 		},
 		handler: buildHandler(service, "addPet").bind(Service),
 		prehandler: buildPreHandler(security, [
-			{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] },
+			[{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] }],
 		]).bind(Security),
 	});
 
@@ -217,7 +217,7 @@ async function generateRoutes(fastify, opts) {
 		},
 		handler: buildHandler(service, "updatePet").bind(Service),
 		prehandler: buildPreHandler(security, [
-			{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] },
+			[{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] }],
 		]).bind(Security),
 	});
 
@@ -244,7 +244,7 @@ async function generateRoutes(fastify, opts) {
 		},
 		handler: buildHandler(service, "findPetsByStatus").bind(Service),
 		prehandler: buildPreHandler(security, [
-			{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] },
+			[{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] }],
 		]).bind(Security),
 	});
 
@@ -269,7 +269,7 @@ async function generateRoutes(fastify, opts) {
 		},
 		handler: buildHandler(service, "findPetsByTags").bind(Service),
 		prehandler: buildPreHandler(security, [
-			{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] },
+			[{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] }],
 		]).bind(Security),
 	});
 
@@ -291,7 +291,7 @@ async function generateRoutes(fastify, opts) {
 		},
 		handler: buildHandler(service, "getPetById").bind(Service),
 		prehandler: buildPreHandler(security, [
-			{ name: "api_key", parameters: [] },
+			[{ name: "api_key", parameters: [] }],
 		]).bind(Security),
 	});
 
@@ -326,7 +326,7 @@ async function generateRoutes(fastify, opts) {
 		},
 		handler: buildHandler(service, "updatePetWithForm").bind(Service),
 		prehandler: buildPreHandler(security, [
-			{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] },
+			[{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] }],
 		]).bind(Security),
 	});
 
@@ -348,7 +348,7 @@ async function generateRoutes(fastify, opts) {
 		},
 		handler: buildHandler(service, "deletePet").bind(Service),
 		prehandler: buildPreHandler(security, [
-			{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] },
+			[{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] }],
 		]).bind(Security),
 	});
 
@@ -383,7 +383,7 @@ async function generateRoutes(fastify, opts) {
 		},
 		handler: buildHandler(service, "uploadFile").bind(Service),
 		prehandler: buildPreHandler(security, [
-			{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] },
+			[{ name: "petstore_auth", parameters: ["write:pets", "read:pets"] }],
 		]).bind(Security),
 	});
 
@@ -393,7 +393,7 @@ async function generateRoutes(fastify, opts) {
 		schema: {},
 		handler: buildHandler(service, "getInventory").bind(Service),
 		prehandler: buildPreHandler(security, [
-			{ name: "api_key", parameters: [] },
+			[{ name: "api_key", parameters: [] }],
 		]).bind(Security),
 	});
 

examples/generated-standaloneJS-project/package.json

@@ -19,9 +19,9 @@
   },
   "devDependencies": {
     "fastify": "^4.23.2",
-    "fastify-cli": "^5.8.0",
+    "fastify-cli": "^6.0.0",
     "tap": "",
-    "c8": "^8.0.1",
+    "c8": "^9.0.0",
     "@biomejs/biome": "^1.2.2",
     "husky": "^8.0.3"
   }

examples/generated-standaloneJS-project/securityHandlers.js

@@ -13,8 +13,6 @@ export default class SecurityHandlers {
 	/** constructor */
 	constructor(handlers) {
 		this.handlers = handlers;
-		// the specificatio allows for an empty scheme that allows all access
-		this.handlers[emptyScheme] = async () => {};
 		this.handlerMap = new Map();
 		this.missingHandlers = [];
 	}
@@ -25,21 +23,23 @@ export default class SecurityHandlers {
 		}
 		const mapKey = JSON.stringify(schemes);
 		if (!this.handlerMap.has(mapKey)) {
-			const processedSchemes = [];
-			for (const scheme of schemes) {
-				// parser returns undefined on empty scheme
-				if (scheme.name === undefined) {
-					scheme.name = emptyScheme;
-				}
-				if (!(scheme.name in this.handlers)) {
-					this.handlers[scheme.name] = () => {
-						throw `Missing handler for "${scheme.name}" validation`;
-					};
-					this.missingHandlers.push(scheme.name);
+			const processedSchemesList = [];
+			for (const schemeList of schemes) {
+				const processedSchemes = [];
+				if (schemeList?.length > 0) {
+					for (const scheme of schemeList) {
+						if (!(scheme.name in this.handlers)) {
+							this.handlers[scheme.name] = () => {
+								throw `Missing handler for "${scheme.name}" validation`;
+							};
+							this.missingHandlers.push(scheme.name);
+						}
+						processedSchemes.push(scheme);
+					}
 				}
-				processedSchemes.push(scheme);
+				processedSchemesList.push(processedSchemes);
 			}
-			this.handlerMap.set(mapKey, this._buildHandler(processedSchemes));
+			this.handlerMap.set(mapKey, this._buildHandler(processedSchemesList));
 		}
 		return this.handlerMap.has(mapKey);
 	}
@@ -62,24 +62,30 @@ export default class SecurityHandlers {
 		const securityHandlers = this.handlers;
 		return async (req, reply) => {
 			const handlerErrors = [];
-			const schemeList = [];
+			const schemeListDone = [];
 			let statusCode = 401;
-			for (const scheme of schemes) {
+			for (const schemeList of schemes) {
+				let scheme;
+				const andList = [];
 				try {
-					await securityHandlers[scheme.name](req, reply, scheme.parameters);
-					return; // If one security check passes, no need to try any others
+					for (scheme of schemeList) {
+						andList.push(scheme.name);
+						// all the handlers in a scheme list must succeed
+						await securityHandlers[scheme.name](req, reply, scheme.parameters);
+					}
+					return; // If one list of schemes passes, no need to try any others
 				} catch (err) {
 					req.log.debug(`Security handler '${scheme.name}' failed: '${err}'`);
 					handlerErrors.push(err);
 					if (err.statusCode !== undefined) {
 						statusCode = err.statusCode;
 					}
 				}
-				schemeList.push(scheme.name);
+				schemeListDone.push(andList.toString());
 			}
 			// if we get this far no security handlers validated this request
 			throw new SecurityError(
-				`None of the security schemes (${schemeList.join(
+				`None of the security schemes (${schemeListDone.join(
 					", ",
 				)}) successfully authenticated this request.`,
 				statusCode,

lib/ParserBase.js

@@ -47,11 +47,14 @@ export class ParserBase {
 	parseSecurity(schemes) {
 		return schemes
 			? schemes.map((item) => {
-					const name = Object.keys(item)[0];
-					return {
-						name,
-						parameters: item[name],
-					};
+					const result = [];
+					for (const name in item) {
+						result.push({
+							name,
+							parameters: item[name],
+						});
+						return result;
+					}
 			  })
 			: undefined;
 	}

lib/securityHandlers.js

@@ -13,8 +13,6 @@ export default class SecurityHandlers {
 	/** constructor */
 	constructor(handlers) {
 		this.handlers = handlers;
-		// the specificatio allows for an empty scheme that allows all access
-		this.handlers[emptyScheme] = async () => {};
 		this.handlerMap = new Map();
 		this.missingHandlers = [];
 	}
@@ -25,21 +23,23 @@ export default class SecurityHandlers {
 		}
 		const mapKey = JSON.stringify(schemes);
 		if (!this.handlerMap.has(mapKey)) {
-			const processedSchemes = [];
-			for (const scheme of schemes) {
-				// parser returns undefined on empty scheme
-				if (scheme.name === undefined) {
-					scheme.name = emptyScheme;
-				}
-				if (!(scheme.name in this.handlers)) {
-					this.handlers[scheme.name] = () => {
-						throw `Missing handler for "${scheme.name}" validation`;
-					};
-					this.missingHandlers.push(scheme.name);
+			const processedSchemesList = [];
+			for (const schemeList of schemes) {
+				const processedSchemes = [];
+				if (schemeList?.length > 0) {
+					for (const scheme of schemeList) {
+						if (!(scheme.name in this.handlers)) {
+							this.handlers[scheme.name] = () => {
+								throw `Missing handler for "${scheme.name}" validation`;
+							};
+							this.missingHandlers.push(scheme.name);
+						}
+						processedSchemes.push(scheme);
+					}
 				}
-				processedSchemes.push(scheme);
+				processedSchemesList.push(processedSchemes);
 			}
-			this.handlerMap.set(mapKey, this._buildHandler(processedSchemes));
+			this.handlerMap.set(mapKey, this._buildHandler(processedSchemesList));
 		}
 		return this.handlerMap.has(mapKey);
 	}
@@ -62,24 +62,30 @@ export default class SecurityHandlers {
 		const securityHandlers = this.handlers;
 		return async (req, reply) => {
 			const handlerErrors = [];
-			const schemeList = [];
+			const schemeListDone = [];
 			let statusCode = 401;
-			for (const scheme of schemes) {
+			for (const schemeList of schemes) {
+				let scheme;
+				const andList = [];
 				try {
-					await securityHandlers[scheme.name](req, reply, scheme.parameters);
-					return; // If one security check passes, no need to try any others
+					for (scheme of schemeList) {
+						andList.push(scheme.name);
+						// all the handlers in a scheme list must succeed
+						await securityHandlers[scheme.name](req, reply, scheme.parameters);
+					}
+					return; // If one list of schemes passes, no need to try any others
 				} catch (err) {
 					req.log.debug(`Security handler '${scheme.name}' failed: '${err}'`);
 					handlerErrors.push(err);
 					if (err.statusCode !== undefined) {
 						statusCode = err.statusCode;
 					}
 				}
-				schemeList.push(scheme.name);
+				schemeListDone.push(andList.toString());
 			}
 			// if we get this far no security handlers validated this request
 			throw new SecurityError(
-				`None of the security schemes (${schemeList.join(
+				`None of the security schemes (${schemeListDone.join(
 					", ",
 				)}) successfully authenticated this request.`,
 				statusCode,

test/service.js

@@ -220,6 +220,32 @@ export class Service {
 		};
 	}
 
+	// Operation: testOperationSecurity
+	// summary:  Test response serialization
+	// req.query:
+	//   type: object
+	//   properties:
+	//     respType:
+	//       type: string
+	//
+	// valid responses:
+	//   '200':
+	//     description: ok
+	//     schema:
+	//       type: object
+	//       properties:
+	//         response:
+	//           type: string
+	//       required:
+	//         - response
+	//
+
+	async testOperationSecurityUsingAnd(req) {
+		return {
+			response: "Authentication succeeded!",
+		};
+	}
+
 	// Operation: testOperationSecurityWithParameter
 	// summary:  Test response serialization
 	// req.query:

test/test-openapi.v3.json

@@ -267,7 +267,7 @@
 		"/operationSecurity": {
 			"get": {
 				"operationId": "testOperationSecurity",
-				"summary": "Test security handling",
+				"summary": "Test security handling OR functionality",
 				"security": [
 					{
 						"api_key": []
@@ -303,6 +303,40 @@
 				}
 			}
 		},
+		"/operationSecurityUsingAnd": {
+			"get": {
+				"operationId": "testOperationSecurityUsingAnd",
+				"summary": "Test security handling AND functionality",
+				"security": [
+					{
+						"api_key": ["and"],
+						"skipped": ["works"]
+					}
+				],
+				"responses": {
+					"200": {
+						"description": "ok",
+						"content": {
+							"application/json": {
+								"schema": {
+									"$ref": "#/components/schemas/responseObject"
+								}
+							}
+						}
+					},
+					"401": {
+						"description": "unauthorized",
+						"content": {
+							"application/json": {
+								"schema": {
+									"$ref": "#/components/schemas/errorObject"
+								}
+							}
+						}
+					}
+				}
+			}
+		},
 		"/operationSecurityWithParameter": {
 			"get": {
 				"operationId": "testOperationSecurityWithParameter",