Cookie Authentication Not working for openapi 3.0
When using the cookie authentication , the securityschemes are not checked and passed through without validation even if the mentioned securityScheme are not present.
Reference: https://swagger.io/docs/specification/authentication/cookie-authentication/
E.g.:
In securitySchemes
"CookieAuth": {
"type": "apiKey",
"in": "cookie",
"name": "cookie_name"
}
In security at an operation:
"security": [
{
"CookieAuth": []
}
]
Now even if the cookie with name “cookie_name“ is not present in the request , the request is passed through successfully without security validations, even other securitySchemes validations are also skipped.
Possible problem is cookie in the apiKey is not supported as of now, as we can see in below code only Header and Query is supported:
Comments (6)
-
-
reporter Hi James,
Did you get a chance to check/implement this ?
Regards,
Shobhit Saxena
-
I haven’t had time, no. Happy to review PRs, but it might be a few more weeks before I get time to allocate to this.
Cheers.
-
- changed status to open
-
- changed status to resolved
Available in v2.10.2
-
reporter Thank you !!
- Log in to comment
Thanks for raising this. You are correct - validation of cookie auth schemes is not currently implemented (see https://bitbucket.org/atlassian/swagger-request-validator/src/master/docs/OPENAPIv3.md).
If you’d like to raise a PR to add support I will gladly review it, otherwise I will try to find time in the coming weeks to add support (it should be quite simple to add).
Cheers.