fix: correct security schema logic for OR verification

Author: lukebellamy053

src/middlewares/openapi.security.ts

@@ -17,11 +17,13 @@ const defaultSecurityHandler = (
 type SecuritySchemesMap = {
   [key: string]: OpenAPIV3.ReferenceObject | OpenAPIV3.SecuritySchemeObject;
 };
+
 interface SecurityHandlerResult {
   success: boolean;
   status?: number;
   error?: string;
 }
+
 export function security(
   apiDoc: OpenAPIV3.Document,
   securityHandlers: SecurityHandlers,
@@ -62,50 +64,19 @@ export function security(
 
       // TODO handle AND'd and OR'd security
       // This assumes OR only! i.e. at least one security passed authentication
-      let firstError: SecurityHandlerResult = null;
-      let success = false;
-
-      function checkErrorWithOr(res) {
-        return res.forEach((r) => {
-          if (r.success) {
-            success = true;
-          } else if (!firstError) {
-            firstError = r;
-          }
-        });
-      }
-
-      function checkErrorsWithAnd(res) {
-        let allSuccess = false;
-
-        res.forEach((r) => {
-          if (!r.success) {
-            allSuccess = false;
-            if (!firstError) {
-              firstError = r;
-            }
-          } else if (!firstError) {
-            allSuccess = true;
-          }
-        });
-
-        if (allSuccess) {
-          success = true;
-        }
-      }
-
-      results.forEach((result) => {
-        if (Array.isArray(result) && result.length > 1) {
-          checkErrorsWithAnd(result);
-        } else {
-          checkErrorWithOr(result);
+      const success = results.some(result => Array.isArray(result) ? !result.some(it => !it.success) : result.success);
+      const errors = results.map(result => {
+        if(Array.isArray(result) ) {
+          return result.map(it => it).filter(it => !it.success)
         }
-      });
+        return [result].filter(it => !it.success)
+      })
 
       if (success) {
         next();
       } else {
-        throw firstError;
+        const allErrors = errors.flatMap(it => [...it]);
+        throw allErrors.find(Boolean)
       }
     } catch (e) {
       const message = e?.error?.message || 'unauthorized';
@@ -129,6 +100,7 @@ class SecuritySchemes {
   private securitySchemes: SecuritySchemesMap;
   private securityHandlers: SecurityHandlers;
   private securities: OpenAPIV3.SecurityRequirementObject[];
+
   constructor(
     securitySchemes: SecuritySchemesMap,
     securityHandlers: SecurityHandlers,
@@ -213,6 +185,7 @@ class AuthValidator {
   private scheme;
   private path: string;
   private scopes: string[];
+
   constructor(req: OpenApiRequest, scheme, scopes: string[] = []) {
     const openapi = <OpenApiRequestMetadata>req.openapi;
     this.req = req;

test/resources/security.yaml

@@ -90,6 +90,19 @@ paths:
         "401":
           description: unauthorized
 
+  /multi_auth:
+    get:
+      security:
+        - ApiKeyAuth: []
+          BearerAuth: []
+        - BasicAuth: []
+          CookieAuth: []
+      responses:
+        "200":
+          description: OK
+        "401":
+          description: unauthorized
+
   /oauth2:
     get:
       security:

test/security.defaults.spec.ts

@@ -21,7 +21,8 @@ describe('security.defaults', () => {
         .get(`/cookie_auth`, (req, res) => res.json({ logged_in: true }))
         .get(`/bearer`, (req, res) => res.json({ logged_in: true }))
         .get(`/basic`, (req, res) => res.json({ logged_in: true }))
-        .get('/no_security', (req, res) => res.json({ logged_in: true })),
+        .get('/no_security', (req, res) => res.json({ logged_in: true }))
+        .get('/multi_auth', (req, res) => res.json({ logged_in: true }))
     );
   });
 
@@ -64,4 +65,24 @@ describe('security.defaults', () => {
           .that.equals('cookie \'JSESSIONID\' required');
       });
   });
+
+  it("Should return 200 WHEN one of multiple security rules is met GIVEN a request with apiKey and bearer token", () => {
+    return request(app)
+      .get(`${basePath}/multi_auth`)
+      .set({
+        "Authorization": "Bearer rawww",
+        "X-API-Key": "hello world"
+      })
+      .expect(200)
+  })
+
+  it("Should return 200 WHEN one of multiple security rules is met GIVEN a request with cookie and basic auth", () => {
+    return request(app)
+      .get(`${basePath}/multi_auth`)
+      .set({
+        "Authorization": "Basic ZGVtbzpwQDU1dzByZA==",
+        "Cookie": "JSESSIONID=dwdwdwdwd"
+      })
+      .expect(200)
+  })
 });