You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While analyzing the code generated by the #[OpenApi] / #[oai] macro, I noticed that it doesn't prioritize security over other parameters, let me explain:
let's take this code as an exampe :
constCODE_EXAMPLE:fn() -> String = || "0000000000".to_owned();constTYPE_CODE_EXAMPLE:fn() -> String = || "A2".to_owned();constDEFAULT_TYPE_CODE:fn() -> String = || "A2".to_owned();pubstructCityRestCtl;#[OpenApi(prefix_path = "/city", tag = City)]implCityRestCtl{/* ----------------------------------------------------------------------------------------- *//// Get by code#[oai(path = "/:code", method = "get", operation_id = "getTest")]pubasyncfnget_test(&self,#[oai(name = "type_code", default = "DEFAULT_TYPE_CODE", example = "TYPE_CODE_EXAMPLE")]/// code typeQuery(type_code):Query<String>,#[oai(name = "code", example = "CODE_EXAMPLE")]/// the codePath(code):Path<String>,JwtSecurityScheme(_auth):JwtSecurityScheme,) -> Result<HttpJsonResponse<CityDTO>,ApiResponseError>{returnErr(ApiResponseError::BadRequest(PlainText("Bad request".to_string())));}}
the macro will generate a code with extractors automatically;
but by analyzing the function generated add_routes() :
we can see that the order of extractors respects the order of declaration of endpoint parameters,
which is a safety risk and a performance problem, normally we check the Jwt token, if it's OK, we continue the analysis of the other parameters,
but since the parameter ( JwtSecurityScheme(_auth): JwtSecurityScheme) is last, the extractor is also the last to be created.
the only way to avoid this is to put this parameter just after &self, like this :
#[OpenApi(prefix_path = "/city", tag = City)]implCityRestCtl{/* ----------------------------------------------------------------------------------------- *//// Get by code#[oai(path = "/:code", method = "get", operation_id = "getTest")]pubasyncfnget_test(&self,JwtSecurityScheme(_auth):JwtSecurityScheme,// <-------------------------- !!!!!#[oai(name = "type_code", default = "DEFAULT_TYPE_CODE", example = "TYPE_CODE_EXAMPLE")]/// code typeQuery(type_code):Query<String>,#[oai(name = "code", example = "CODE_EXAMPLE")]/// the codePath(code):Path<String>) -> Result<HttpJsonResponse<CityDTO>,ApiResponseError>{returnErr(ApiResponseError::BadRequest(PlainText("Bad request".to_string())));}}
it would be very interesting if the macro detected the presence of a "SecurityScheme", and always put it in p1 before "Path<>" and "Query<>"
(we also need to review code redundancy, for each endpoint we have the same extractors that are generated in the function add_routes() core, externalizing them and making calls would be more judicious. )
Thanks a lot.
The text was updated successfully, but these errors were encountered:
Hello,
While analyzing the code generated by the #[OpenApi] / #[oai] macro, I noticed that it doesn't prioritize security over other parameters, let me explain:
let's take this code as an exampe :
the macro will generate a code with extractors automatically;
but by analyzing the function generated add_routes() :
we can see that the order of extractors respects the order of declaration of endpoint parameters,
JwtSecurityScheme is in p3,
which is a safety risk and a performance problem, normally we check the Jwt token, if it's OK, we continue the analysis of the other parameters,
but since the parameter ( JwtSecurityScheme(_auth): JwtSecurityScheme) is last, the extractor is also the last to be created.
the only way to avoid this is to put this parameter just after &self, like this :
it would be very interesting if the macro detected the presence of a "SecurityScheme", and always put it in p1 before "Path<>" and "Query<>"
(we also need to review code redundancy, for each endpoint we have the same extractors that are generated in the function add_routes() core, externalizing them and making calls would be more judicious. )
Thanks a lot.
The text was updated successfully, but these errors were encountered: