propagate configured AuthenticationStrategy to OpenApiSpec

[derdeka]

Suggestion

The configured AuthenticationStrategy should propagate the securityschema into the generated openapi spec. Currently each endpoint need several configuration options to make this possible.

Use Cases

With configured securityschemas the api explorer handles authentication information automatically and sends it to the lb4 server.

Examples

Currently I'm doing something like this:

application.ts

import { merge } from 'lodash';
// ...
constructor(options: ApplicationConfig = {}) {
	// ...
	const spec = this.getSync(RestBindings.API_SPEC);
	merge(spec, {
	  components: {
		securitySchemes: {
		  BasicAuth: {
			type: 'http',
			scheme: 'basic',
		  },
		  BearerAuth: {
			type: 'http',
			scheme: 'bearer',
		  },
		  ApiKeyAuth: {
			type: 'apiKey',
			in: 'header',
			name: 'X-API-Key',
		  },
		},
	  },
	});
	// ...
}

user.controller.ts

...
@authorize('jwt')
@get('/users', {
  security: [{
    BearerAuth: [],
  }],
  responses: {
    [STATUS_CODE.OK]: {
      content: { [CONTENT_TYPE.JSON]: { schema: { type: 'array', items: getModelSchemaRef(User) } } },
    },
  },
})
async userFind(
...

Please note, that @authorize('jwt') and security is some kind of redundant and needs to be configured for each endpoint.

Acceptance criteria

• Authentication strategy can contribute security schemas when it gets registered to an application. The security schema specs will be merged into OpenAPISpec.components.schemas. Modify the registerAuthenticationStrategy() method to handle the spec merge.

• Update loopback4-shopping-example to leverage the new change.

[derdeka]

I found a simpler way without modifying all endpoints:

constants.ts

export namespace SECURITY_REQUIREMENT {
  export const DEFAULT: SecurityRequirementObject[] = [
    {
      BearerAuth: [],
    },
  ]

  export const NONE: SecurityRequirementObject[] = [
  ]
}

application.ts

import { merge } from 'lodash';
// ...
constructor(options: ApplicationConfig = {}) {
	// ...
	const spec = this.getSync(RestBindings.API_SPEC);
	merge(spec, {
          security: SECURITY_REQUIREMENT.DEFAULT,
	  components: {
		securitySchemes: {
		  BasicAuth: {
			type: 'http',
			scheme: 'basic',
		  },
		  BearerAuth: {
			type: 'http',
			scheme: 'bearer',
		  },
		  ApiKeyAuth: {
			type: 'apiKey',
			in: 'header',
			name: 'X-API-Key',
		  },
		},
	  },
	});
	// ...
}

user.controller.ts

...
@authorize('none')
@post('/users/login', {
  security: SECURITY_REQUIREMENT.NONE,
  responses: {
    // ...
  },
})
async userLogin(
...

[derdeka]

related to #2027

[jannyHou]

@derdeka I am working on #2027 :) And have similar code as

mport { merge } from 'lodash';
// ...
constructor(options: ApplicationConfig = {}) {
	// ...
	const spec = this.getSync(RestBindings.API_SPEC);
	merge(spec, {
	  components: {
		securitySchemes: {
		  BasicAuth: {
			type: 'http',
			scheme: 'basic',
		  },
		  BearerAuth: {
			type: 'http',
			scheme: 'bearer',
		  },
		  ApiKeyAuth: {
			type: 'apiKey',
			in: 'header',
			name: 'X-API-Key',
		  },
		},
	  },
	});
	// ...
}

on my local. Your suggestion seems reasonable to me. Will submit a draft PR in the near future and we can discuss further.

[jannyHou]

see draft PR loopbackio/loopback4-example-shopping#267

[jannyHou]

Acceptance Criteria updated.

[dhmlau]

Related to #2027

[jannyHou]

some update:

The openapi spec enhancer service is created in #4258.

To allow contributing custom security spec, we need #4380 happen first.

And two more improvements:
#4386
#4385

[achrinza]

Closing as done (see #4693).