fix(swagger): apply X-API-Key security scheme globally#109
Open
rmyndharis wants to merge 1 commit into
Open
Conversation
The Swagger document defined the X-API-Key scheme via addApiKey() but never applied it, so no operation declared a security requirement and Swagger UI never sent the key. Requests reached the global ApiKeyGuard with no key and got 401 Unauthorized. Extract the config into createSwaggerConfig(), apply the scheme globally with addSecurityRequirements, and remove 5 stray @ApiBearerAuth() decorators that referenced an undefined bearer scheme. Fixes #104
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Issue #104:
POST /sessions/:id/messages/send-bulk(and every other protected endpoint) returns401 Unauthorizedwhen called from Swagger UI, even after clicking Authorize and entering a valid API key.Root cause
main.tsdefined theX-API-Keysecurity scheme withaddApiKey()but never applied it. In OpenAPI, defining a scheme is not the same as applying it: without asecurityrequirement on operations, Swagger UI never attaches the credential. So Authorize was cosmetic, and every request reached the globalApiKeyGuardwith no key, returning 401.It looked like a
send-bulk-only bug because the dashboard (which sends the key itself) has no bulk feature, so bulk was the first Swagger-only operation a user would reach. Every protected endpoint was affected.A separate inconsistency: 5 controllers (
auth,plugins,catalog,status,stats) used@ApiBearerAuth(), which references abearerscheme that was never defined.Fix
src/config/swagger.config.tsascreateSwaggerConfig(), making it unit-testable.addSecurityRequirements, mirroring the globalApiKeyGuard.@ApiBearerAuth()decorators. Operation-level security overrides the global requirement, so leaving them would keep those controllers broken.swagger.config.spec.ts), written test-first.Verification
npm run build,npm test(111/111),npm run lint: all pass./api/docs-json. The document now carries a globalsecurity[{"X-API-Key":[]}],send-bulkinherits it, and 0 operation-level overrides across all 91 paths.Fixes #104