throw provided exception example

Author: cdimascio

src/middlewares/openapi.security.ts

@@ -138,16 +138,10 @@ class SecuritySchemes {
       }
       return Promise.all(
         Object.keys(s).map(async (securityKey) => {
-          var _a, _b, _c;
+
           try {
             const scheme = this.securitySchemes[securityKey];
-            const handler =
-              (_b =
-                (_a = this.securityHandlers) === null || _a === void 0
-                  ? void 0
-                  : _a[securityKey]) !== null && _b !== void 0
-                ? _b
-                : fallbackHandler;
+            const handler = this.securityHandlers?.[securityKey] ?? fallbackHandler;
             const scopesTmp = s[securityKey];
             const scopes = Array.isArray(scopesTmp) ? scopesTmp : [];
             if (!scheme) {
@@ -180,7 +174,7 @@ class SecuritySchemes {
           } catch (e) {
             return {
               success: false,
-              status: (_c = e.status) !== null && _c !== void 0 ? _c : 401,
+              status: e.status ?? 401,
               error: e,
             };
           }

test/resources/security.yaml

@@ -90,6 +90,7 @@ paths:
         "401":
           description: unauthorized
 
+
   /multi_auth:
     get:
       security:
@@ -127,6 +128,18 @@ paths:
         "401":
           description: unauthorized
 
+  /test_key:
+    get:
+      security:
+        - testKey: []
+      description: Test authentication
+      responses:
+        "200":
+          description: Some html content
+          content:
+            text/html:
+              schema:
+                type: string
 components:
   securitySchemes:
     BasicAuth:
@@ -156,3 +169,7 @@ components:
             read: Grants read access
             write: Grants write access
             admin: Grants access to admin operations
+    testKey:
+      type: apiKey
+      name: key
+      in: query

test/security.handlers.spec.ts

@@ -7,7 +7,7 @@ import {
   OpenApiValidatorOpts,
   ValidateSecurityOpts,
   OpenAPIV3,
-  SecurityHandlers,
+  HttpError,
 } from '../src/framework/types';
 import { AppWithServer } from './common/app.common';
 
@@ -16,13 +16,37 @@ import { AppWithServer } from './common/app.common';
 describe('security.handlers', () => {
   let app: AppWithServer;
   let basePath: string;
+
+  class MyForbiddenError extends HttpError {
+    constructor(message: string) {
+      super({
+        status: 403,
+        path: '/test_key',
+        name: 'MyForbiddenError',
+        message: message,
+      });
+    }
+  }
+  
+  class MyUserError extends Error {
+  }
+  
   const eovConf: OpenApiValidatorOpts = {
     apiSpec: path.join('test', 'resources', 'security.yaml'),
     validateSecurity: {
       handlers: {
         ApiKeyAuth: (req, scopes, schema) => {
           throw Error('custom api key handler failed');
         },
+        testKey: async (req, scopes, schema) => {
+          let key = req.query.key;
+          console.log('-------key');
+          if (key !== "ok") {
+            throw new MyForbiddenError("Wrong key value");
+          }
+
+          return true;
+        },
       },
     },
   };
@@ -44,8 +68,30 @@ describe('security.handlers', () => {
         .get(`/api_key_or_anonymous`, (req, res) =>{
           res.json({ logged_in: true })
   })
-        .get('/no_security', (req, res) => {res.json({ logged_in: true })}),
+        .get('/no_security', (req, res) => {res.json({ logged_in: true })})
+        .get("/test_key", function(req, res, next) {
+          if (req.query.key === "ok") {
+            console.log('-------key ok');
+            throw new MyUserError("Everything is fine");
+          } else {
+            console.log('-------key wrong');
+            throw new MyForbiddenError("Wrong key value");
+          }
+        }),
     );
+    app.use((err, req, res, next) => {
+        if (err instanceof MyUserError) {
+          // OK
+          res.status(200);
+          res.send(`<h1>Error matches to MyUserError</h1>`);
+        } else if (err instanceof MyForbiddenError) {
+          // FAIL: YOU NEVER GET HERE
+          res.status(403);
+          res.send(`<h1>Error matches to MyForbiddenError</h1>`);
+        } else {
+          res.send(`<h1>Unknown error</h1>` + JSON.stringify(err));
+        }
+      });
   });
 
   after(() => {
@@ -55,6 +101,12 @@ describe('security.handlers', () => {
   it('should return 200 if no security', async () =>
     request(app).get(`${basePath}/no_security`).expect(200));
 
+  it('should return 200 if test_key handler returns true', async () =>
+    request(app).get(`${basePath}/test_key?key=ok`).expect(200));
+
+  it('should return 403 if test_key handler throws exception', async () =>
+    request(app).get(`${basePath}/test_key?key=wrong`).expect(403));
+
   it('should return 401 if apikey handler throws exception', async () =>
     request(app)
       .get(`${basePath}/api_key`)