Implement security fields from openapi to malli route data.

[JohanCodinha]

No description provided.

[lispyclouds]

thanks! will have a look asap!

[JohanCodinha]

Implement security as a malli route data, this can then be read by interceptor / midleware.

Given a doc like:

openapi: 3.1.0
info:
  title: Simple User Listing API
  description: A simple API to list users, where each user has an ID, and optional email/name.
  termsOfService: http://example.com/terms/
  contact:
    email: support@example.com
  license:
    name: Apache 2.0
    url: http://www.apache.org/licenses/LICENSE-1.0.html
  version: "1.0.0"

servers:
  - url: https://api.example.com/v1
    description: Main production server

tags:
  - name: user
    description: Operations about user

paths:
  /users:
    get:
      tags:
        - user
      summary: List all users
      description: Returns all registered users.
      operationId: listUsers
      # Declare that this endpoint requires the sessionCookieAuth security scheme
      security:
        - sessionCookieAuth: ["read:user"]
        - test: ["one:two"]
      responses:
        '200':
          description: A list of user objects
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
        '400':
          description: Bad request
        '401':
          description: Unauthorized (no valid session cookie)
        '403':
          description: Forbidden (logged in, but not allowed to access this resource)

components:
  securitySchemes:
    # A simple cookie-based auth scheme named sessionCookieAuth
    sessionCookieAuth:
      type: apiKey
      in: cookie
      name: session
      description: >
        A session-based authentication scheme. The cookie must contain
        a valid session ID that identifies the user.
  schemas:
    User:
      type: object
      required:
        - id
      properties:
        id:
          type: string
          format: uuid
          description: The unique identifier for a user
        email:
          type: string
          description: Optional email address of the user
        name:
          type: string
          description: Optional name of the user

Produce routes like:

[["/users"
  {:get
   {:handler #function[routes/fn--23261],
    :responses
    {200
     {:content
      {"application/json"
       {:schema
        [:sequential
         [:map
          {:closed false}
          [:id #function[clojure.core/uuid?]]
          [:email {:optional true} #function[clojure.core/string?--5494]]
          [:name {:optional true} #function[clojure.core/string?--5494]]]]}},
      :description "A list of user objects"},
     400 {:content {:default {:schema #function[clojure.core/nil?]}}, :description "Bad request"},
     401
     {:content {:default {:schema #function[clojure.core/nil?]}},
      :description "Unauthorized (no valid session cookie)"},
     403
     {:content {:default {:schema #function[clojure.core/nil?]}},
      :description "Forbidden (logged in, but not allowed to access this resource)"}},
    :security [["sessionCookieAuth" ["read:user"]]
                   ["test" ["one:two"]]]}}]]

[JohanCodinha]

Need to add a test, only tested at the repl with no security info, with 1 and with many.

[lispyclouds]

can we remove this and put the test dir? in something like a specs dir maybe. we can just use (slurp "specs/security-users.yml"). I'd rather not have things that aren't part of the final artifact in resources.

[JohanCodinha]

Yes, it makes sense I just added this to have a repl going.

[lispyclouds]

this into can be dropped for a mapv before this?

[lispyclouds]

thinking more, is this conversion even needed or does is just work in reitit as its all Maps and Lists anyways?

[JohanCodinha]

This is just creating route data. It won't work in reitit until you add middleware that uses that data.
Although it's opinionated, I chose to represent it as a vector of vectors because it convey the logical OR of having multiple security schemes.
This could have been a map but I think of map a as AND.
And yes, this can also be done with a mapv, feel free to change it.

[lispyclouds]

Makes sense. Let's add some docs about it on the README.

[lispyclouds]

lets use a slurp without the resource like mentioned before

[lispyclouds]

Rest looks pretty good! thanks!

[lispyclouds]

@JohanCodinha can I get some reitit middleware/interceptor examples for the readme thst uses this? I'm happy to merge this after that. 😄