Security annotation does not seem to prevent the controller action from being executed
Hello there,
Just copied and pasted from documentation:
nelmio_api_doc:
documentation:
info:
title: My App
version: 1.0.0
components:
securitySchemes:
Bearer:
type: http
scheme: bearer
bearerFormat: JWT
security:
- Bearer: []
areas: # to filter documented areas
path_patterns:
- ^/api(?!/doc$) # Accepts routes under /api except /api/doc
Controller:
namespace App\Controller;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\Routing\Annotation\Route;
use Nelmio\ApiDocBundle\Annotation\Security;
class TestController
{
/**
* Test
* @Route("/api/test", name="issue", methods={"POST"})
* @Security(name="Bearer")
*/
public function test()
{
return new JsonResponse(["status" => "OK"]);
}
}
I see the resource "POST /api/test" in swagger UI, click on "Try it out", then "Execute", and the controller runs without a problem. Shouldn't the security prevent the execution of that controller action unless an authorization jwt token is passed?
I would expect something like "Unauthorized"...
Thanks
Antonio
Hi Antonio,
Not exactly sure what is the piece of documentation you're sharing, as it's not a fully valid OpenAPI definition.
I assume from the code that you're using PHP's Symfony (not familiar with it at all, personally).
Swagger UI will simply follow the OpenAPI definition it is provided with.
If there's an issue with the code not adhering to the security requirements, you'd need to look into the code/framework you're using. Since we don't have any PHP libraries of our own, I'm afraid we can't help you with finding the solution.
