Secure endpoints different from openapi

Secure endpoints different from openapi Secure endpoints different from openapi
geobeyond · Apr 7, 2024 · 6bbddb6 · 6bbddb6
1 parent 1a73bc1
commit 6bbddb6
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 25 deletions.
diff --git a/app/middleware/pygeoapi.py b/app/middleware/pygeoapi.py
@@ -36,7 +36,6 @@ async def __call__(self, scope: Scope, receive: Receive, send: Send):
         if scope["type"] != "http":
             return await self.app(scope, receive, send)
         pygeoapi_path = scope["path"]
-        pygeoapi_query_params = scope["query_string"].decode()
         if pygeoapi_path not in routes_with_openapi:
             return await self.app(scope, receive, send)
         else:
@@ -81,7 +80,7 @@ async def send_with_security(self, message: Message) -> None:  # noqa: C901
             self.headers.update(headers_dict)
         if message_type == "http.response.body":
             initial_body = message.get("body", b"").decode()
-            if not "<!-- HTML" in initial_body:
+            if "<!-- HTML" not in initial_body:
                 openapi_body = augment_security(
                     doc=initial_body, security_schemes=self.security_schemes
                 )

diff --git a/app/pygeoapi/openapi.py b/app/pygeoapi/openapi.py
@@ -48,29 +48,34 @@ def augment_security(doc: str, security_schemes: List[SecurityScheme]) -> OpenAP
     secured_paths = {}
     if paths:
         for key, value in paths.items():
-            if value.get:
-                value.get.security = [{f"pygeoapi {cfg.PYGEOAPI_SECURITY_SCHEME}": []}]
-                if value.get.responses:
-                    value.get.responses.update(unauthorized)
-            if value.post:
-                value.post.security = [{f"pygeoapi {cfg.PYGEOAPI_SECURITY_SCHEME}": []}]
-                if value.post.responses:
-                    value.post.responses.update(unauthorized)
-            if value.options:
-                value.options.security = [
-                    {f"pygeoapi {cfg.PYGEOAPI_SECURITY_SCHEME}": []}
-                ]
-                if value.options.responses:
-                    value.options.responses.update(unauthorized)
-                    # Remove when it is fixed from pygeoapi
-                    value.options.responses.update(not_found)
-            if value.delete:
-                value.delete.security = [
-                    {f"pygeoapi {cfg.PYGEOAPI_SECURITY_SCHEME}": []}
-                ]
-                if value.delete.responses:
-                    value.delete.responses.update(unauthorized)
-            secured_paths.update({key: value})
+            if "openapi" not in key:
+                if value.get:
+                    value.get.security = [
+                        {f"pygeoapi {cfg.PYGEOAPI_SECURITY_SCHEME}": []}
+                    ]
+                    if value.get.responses:
+                        value.get.responses.update(unauthorized)
+                if value.post:
+                    value.post.security = [
+                        {f"pygeoapi {cfg.PYGEOAPI_SECURITY_SCHEME}": []}
+                    ]
+                    if value.post.responses:
+                        value.post.responses.update(unauthorized)
+                if value.options:
+                    value.options.security = [
+                        {f"pygeoapi {cfg.PYGEOAPI_SECURITY_SCHEME}": []}
+                    ]
+                    if value.options.responses:
+                        value.options.responses.update(unauthorized)
+                        # Remove when it is fixed from pygeoapi
+                        value.options.responses.update(not_found)
+                if value.delete:
+                    value.delete.security = [
+                        {f"pygeoapi {cfg.PYGEOAPI_SECURITY_SCHEME}": []}
+                    ]
+                    if value.delete.responses:
+                        value.delete.responses.update(unauthorized)
+                secured_paths.update({key: value})
 
     if secured_paths:
         content["paths"] = secured_paths

diff --git a/docs/tutorials.md b/docs/tutorials.md
@@ -3,6 +3,7 @@
 ## Authentication and Authorization
 
 !!! tip "Familiarize with the topic"
+
     If you don't have prior experience with the topic, we recommend reading [Authentication and Authorization in Applications](https://www.permit.io/blog/authentication-vs-authorization), which is a really good introduction on the difference between Authentication and Authorization that helps you understand how they focus on two different purposes.
 
 This tutorial aims to guide the user to configure **fastgeoapi** with a mechanism that fits with your security requirements.
@@ -15,6 +16,7 @@ Supported security schemes are:
 - **OpenID Connect**: It looks like very similar to OAuth2 and in fact it is built on top of that. It allows to identify and authenticate a user in mobile and Single-Page Application (SPA).
 
 !!! note "OAuth2 vs OpenID Connect"
+
     It is beneficial to clarify that they serve two different purposes. [OAuth2](https://en.wikipedia.org/wiki/OAuth) is a framework for _Authorization_ while [OpenID Connect](https://openid.net/developers/how-connect-works/) is a protocol for _Authentication_. If you would like to develop further the concepts then [this]() is an appropriate read.
 
 ## Configure and protect pygeoapi
@@ -263,6 +265,7 @@ DEV_JWKS_ENABLED=true
 And configure a valid JWKS and Token endpoint for the authorization server:
 
 !!! Tip "Use OAuth2 playground"
+
     There are some playgrounds available which can be used for the sake of testing the workflow. Let's use the one from [Auth0 by Okta](https://openidconnect.net/).
 
 ```yml