Conversation
…mes and maintain backward compatibility
… enhanced authentication handling
There was a problem hiding this comment.
Pull request overview
This PR extends the library’s authentication/authorization support to handle multiple OpenAPI security schemes (Basic Auth, API Key, AWS SigV4, and existing Bearer), adding dispatch logic and validators while keeping Bearer-only behavior as a fallback for backwards compatibility.
Changes:
- Add multi-scheme authentication dispatch and standalone middleware for Basic, API Key, and AWS SigV4.
- Update authorization validation to use configured security schemes (with Bearer-only fallback when none are configured).
- Add extensive test coverage and update the auth example to demonstrate multi-scheme configuration/usage.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| conditional_auth.go | Adds SmartAuth selection logic and new multi-scheme + per-scheme middleware. |
| common.go | Passes Config into authorization validation to enable scheme-aware auth. |
| auth.go | Updates validateAuthorization to support multi-scheme validation with backward-compatible fallback. |
| auth_schemes.go | Introduces scheme validator interfaces, parsing/validation helpers, and scheme dispatch. |
| auth_schemes_test.go | Adds tests for Basic/APIKey/AWS SigV4 validators and multi-scheme dispatch behavior. |
| _examples/auth/main.go | Updates the example auth service and OpenAPI config to demonstrate multiple schemes. |
Comments suppressed due to low confidence (1)
conditional_auth.go:42
- SmartAuthMiddleware builds excludePaths directly from config.*Path fields. If any of these are empty strings (e.g., SmartAuthMiddleware called with a zero Config), ConditionalAuthMiddleware will treat every route as excluded because strings.HasPrefix(path, "") is always true, effectively disabling authentication. Filter out empty excludePaths (or apply defaults before building the list).
// Paths to exclude from authentication
excludePaths := []string{
config.OpenAPIDocsPath, // /docs
config.OpenAPIJSONPath, // /openapi.json
config.OpenAPIYamlPath, // /openapi.yaml
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…idate security requirements for empty cases
…ror with appropriate status codes
…re to provide detailed error messages and appropriate status codes
…tication and authorization errors
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…te status codes for authorization failures
…eaders and improve security requirement sorting
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…rver configuration error for missing security schemes
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…in security requirements
…return AuthError with status codes
…ppropriate status codes and messages
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@moutonjeremy I've opened a new pull request, #34, to work on those changes. Once the pull request is ready, I'll request review from you. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // fall back to Bearer-only validation (original behavior). | ||
| if config == nil || len(config.SecuritySchemes) == 0 { | ||
| authCtx, err := validateBearerToken(c, authService) | ||
| if err != nil { |
There was a problem hiding this comment.
In the backward-compatibility branch (len(config.SecuritySchemes)==0), any error from validateBearerToken is wrapped into AuthError{StatusCode:401,...}. This discards typed errors coming from authService.ValidateToken (e.g., an *AuthError with a 5xx status for an internal failure), which can cause internal errors to be reported as 401. Consider preserving *AuthError (and its status code) when ValidateToken returns one, and only default to 401 for untyped errors.
| if err != nil { | |
| if err != nil { | |
| // Preserve typed AuthError (including 5xx) and map ScopeError to 403, | |
| // falling back to 401 only for untyped errors. | |
| var authErr *AuthError | |
| if errors.As(err, &authErr) { | |
| return err | |
| } | |
| var scopeErr *ScopeError | |
| if errors.As(err, &scopeErr) { | |
| return &AuthError{StatusCode: 403, Message: err.Error()} | |
| } |
Introduce mock authentication services and implement validators for Basic Auth, API Key, and AWS SigV4. Enhance authorization validation to support multiple security schemes while maintaining backward compatibility. Implement middleware for improved authentication handling. Update input parsing to accommodate new configuration options.