Forum Discussion

marrahi's avatar
marrahi
Frequent Visitor
4 years ago

Security annotation does not seem to prevent the controller action from being executed

Hello there,

Just copied and pasted from documentation:

nelmio_api_doc:
documentation:
info:
title: My App
version: 1.0.0

components:
securitySchemes:
Bearer:
type: http
scheme: bearer
bearerFormat: JWT
security:
- Bearer: []
areas: # to filter documented areas
path_patterns:
- ^/api(?!/doc$) # Accepts routes under /api except /api/doc

 Controller:

namespace App\Controller;

use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\Routing\Annotation\Route;
use Nelmio\ApiDocBundle\Annotation\Security;

class TestController
{

/**
* Test
* @Route("/api/test", name="issue", methods={"POST"})
* @Security(name="Bearer")
*/
public function test()
{

return new JsonResponse(["status" => "OK"]);
}
}

I see the resource "POST /api/test" in swagger UI, click on "Try it out", then "Execute", and the controller runs without a problem. Shouldn't the security prevent the execution of that controller action unless an authorization jwt token is passed?

I would expect something like "Unauthorized"...

 

Thanks

Antonio

  • Hi Antonio,

     

    Not exactly sure what is the piece of documentation you're sharing, as it's not a fully valid OpenAPI definition.

    I assume from the code that you're using PHP's Symfony (not familiar with it at all, personally).

     

    Swagger UI will simply follow the OpenAPI definition it is provided with.

    If there's an issue with the code not adhering to the security requirements, you'd need to look into the code/framework you're using. Since we don't have any PHP libraries of our own, I'm afraid we can't help you with finding the solution.

  • Hi Antonio,

     

    Not exactly sure what is the piece of documentation you're sharing, as it's not a fully valid OpenAPI definition.

    I assume from the code that you're using PHP's Symfony (not familiar with it at all, personally).

     

    Swagger UI will simply follow the OpenAPI definition it is provided with.

    If there's an issue with the code not adhering to the security requirements, you'd need to look into the code/framework you're using. Since we don't have any PHP libraries of our own, I'm afraid we can't help you with finding the solution.