CODEWITHSUNDEEP
node.jsswaggerdocumentationswagger-2.0
Jodo
Jodo

Reputation: 4763

Swagger specific security for a path

I have a Node.js API in which I want to add swagger documentation. Clients authorize via JWT, so I added this to security:

securityDefinitions:
  UserSecurity:
    type: apiKey
    description: User is logged in
    in: header
    name: Authorization

Than I can add this to different paths to tell the client, to do this you need to be logged in.

/user/{userId}
  get:
    security:
      - UserSecurity: []

But how do I add more specific security constrains? Like, the user can only edit the profile if logged as that user. Or a user can edit a comment if he has superadmin status OR if he is admin for the board the comment is posted at OR is logged as the user that created this comment.

Upvotes: 2

Views: 746

Answers (1)

Vsevolod Goloviznin
Vsevolod Goloviznin

Reputation: 12324

AFAIK, there is no direct way to add 'roles' to swagger documentation.

What I did, is that I'm adding a custom section to the swagger file x-scope:

get:
    operationId: getToken
    x-scope:
      - merchant
    security:
      - token: []

Then in the code I check the role of the user against the one provided in the path: 

authorize: (req, def, token, callback) => {
  let scopes = req.swagger.operation["x-scope"];
  //scopes will contain ["merchant"] array

  return verifyUserAndRoles(token, scopes);
}

Upvotes: 1

Related Questions