Optional auth?

[ChillFish8]

Hello again 😅

What would be the best plan of attack for a situation where you essentially want the option of having a request be able to pass an authorization bearer or nothing?

If authorization is passed do one thing, otherwise do the other.

[ChillFish8]

😅 Well I've done the whole, find the answer plain as the day after I ask the question thing.

Turns out it's super easy to do with the BearerAuthorization trait.

[ChillFish8]

pub struct OptionalTokenBearer(pub Option<Bearer>);

#[async_trait]
impl<'a> FromRequest<'a> for OptionalTokenBearer {
    async fn from_request(req: &'a Request, _body: &mut RequestBody) -> poem::Result<Self> {
        <Self as BearerAuthorization>::from_request(req)
    }
}

impl BearerAuthorization for OptionalTokenBearer {
    fn from_request(req: &Request) -> poem::Result<Self> {
        let auth = Bearer::from_request(req).ok();
        Ok(Self(auth))
    }
}

worked for what I needed.

[sunli829]

This is not good enough, optional authentication cannot be represented in swagger ui, I need to think about how to support it. 😁

[sunli829]

I took a look at the OpenAPI spec and it doesn't support optional authentication. 😂

[ChillFish8]

Oh yeah, luckily for my use case i just need the functionality rather than the spec for the most part 😅

[peterreisz]

Hi! I think optional auth should be written like this:

security: # this is an array, one item of this array must be entirely fullfilled
# this is a map inside with one required security only
  - RequiredOnlyThis: []
# this is a map with two required security only, both of them must be present at the same time
  - RequiredThis: []
    AndAlsoThis: []
# Empty map, thus no security is required at all
  - {}

https://swagger.io/specification/#operation-object