Allow load of security handlers from module using "securityHandlersModule" property on swagger_security fitting

Author: theganyo

fittings/swagger_security.js

@@ -4,16 +4,28 @@ var debug = require('debug')('swagger:swagger_security');
 var async = require('async');
 var helpers = require('../lib/helpers');
 var _ = require('lodash');
+var path = require('path');
 
 module.exports = function create(fittingDef, bagpipes) {
 
   debug('config: %j', fittingDef);
 
+  var runner = bagpipes.config.swaggerNodeRunner;
+
+  if (fittingDef.securityHandlersModule && !runner.config.securityHandlers) {
+
+    var appRoot = runner.config.swagger.appRoot;
+    var handlersPath = path.resolve(appRoot, fittingDef.securityHandlersModule);
+
+    runner.securityHandlers = require(handlersPath);
+    debug('loaded handlers: %s from: %s', Object.keys(runner.securityHandlers), handlersPath);
+  }
+
   return function swagger_security(context, cb) {
 
     debug('exec');
 
-    var handlers = bagpipes.config.swaggerNodeRunner.securityHandlers || {};
+    var handlers = runner.securityHandlers || {};
     var req = context.request;
     var operation = req.swagger.operation;
 

index.js

@@ -39,12 +39,7 @@ var SWAGGER_SELECTED_PIPE = 'x-swagger-pipe';
 var SWAGGER_ROUTER_CONTROLLER = 'x-swagger-router-controller';
 var DEFAULT_FITTINGS_DIRS = [ 'api/fittings' ];
 var DEFAULT_VIEWS_DIRS = [ 'api/views' ];
-var DEFAULT_APP_PATHS = { // relative to appRoot
-  swaggerFile: 'api/swagger/swagger.yaml',
-  controllersDir: 'api/controllers',
-  mockControllersDir: 'api/mocks',
-  helpers: 'api/helpers'
-};
+var DEFAULT_SWAGGER_FILE = 'api/swagger/swagger.yaml'; // relative to appRoot
 
 /*
 SwaggerNode config priority:
@@ -188,7 +183,7 @@ function Runner(appJsConfig, cb) {
 
   var self = this;
   var swayOpts = {
-    definition: appJsConfig.swagger || appJsConfig.swaggerFile || this.resolveAppPath(DEFAULT_APP_PATHS.swaggerFile)
+    definition: appJsConfig.swagger || appJsConfig.swaggerFile || this.resolveAppPath(DEFAULT_SWAGGER_FILE)
   };
 
   // sway uses Promises
@@ -275,10 +270,14 @@ function createPipes(self) {
         name: 'swagger_validator',
         validateReponse: true
       },
+      _swagger_security: {
+        name: 'swagger_security',
+        securityHandlersModule: 'api/helpers/securityHandlers'
+      },
       swagger_controllers: [
         'cors',
         'swagger_params_parser',
-        'swagger_security',
+        '_swagger_security',
         '_swagger_validate',
         'express_compatibility',
         '_router'

test/assets/project/api/helpers/securityHandlers.js

@@ -0,0 +1,9 @@
+module.exports = {
+  api_key: function failure(req, res, next) {
+    if (req.swagger.params.name.value === 'Scott') {
+      next();
+    } else {
+      next(new Error('no way!'));
+    }
+  }
+};

test/assets/project/config/default.yaml

@@ -19,12 +19,16 @@ swagger:
       name: swagger_validator
       validateResponse: true
 
+    _swagger_security:
+      name: swagger_security
+      securityHandlersModule: api/helpers/securityHandlers
+
     # pipe for all swagger-node controllers
     swagger_controllers:
       - onError: json_error_handler
       - cors
       - swagger_params_parser
-      - swagger_security
+      - _swagger_security
       - _swagger_validate
       - express_compatibility
       - _router

test/lib/common.js

@@ -213,68 +213,111 @@ module.exports = function() {
 
   describe('security', function() {
 
-    it('should deny when missing handler', function(done) {
-      request(this.app)
-        .get('/hello_secured')
-        .set('Accept', 'application/json')
-        .expect(403)
-        .expect('Content-Type', /json/)
-        .end(function(err, res) {
-          should.not.exist(err);
+    describe('loaded from path', function() {
 
-          res.body.should.have.properties({
-            code: 'server_error',
-            message: 'Unknown security handler: api_key'
+      it('should deny when swagger-tools handler denies', function(done) {
+
+        request(this.app)
+          .get('/hello_secured')
+          .set('Accept', 'application/json')
+          .expect(403)
+          .expect('Content-Type', /json/)
+          .end(function(err, res) {
+            should.not.exist(err);
+
+            res.body.should.have.properties({
+              code: 'server_error',
+              message: 'no way!'
+            });
+
+            done();
           });
+      });
 
-          done();
-        });
+      it('should allow when swagger-tools handler accepts', function(done) {
+
+        request(this.app)
+          .get('/hello_secured?name=Scott')
+          .set('Accept', 'application/json')
+          .expect(200)
+          .expect('Content-Type', /json/)
+          .end(function(err, res) {
+            should.not.exist(err);
+            res.body.should.eql('Hello, Scott!');
+
+            done();
+          });
+      });
     });
 
-    it('should deny when swagger-tools handler denies', function(done) {
+    describe('explicit in config', function() {
 
-      this.runner.securityHandlers = {
-        api_key: function(req, secDef, key, cb) {
-          cb(new Error('no way!'));
-        }
-      };
+      it('should deny when missing handler', function(done) {
 
-      request(this.app)
-        .get('/hello_secured')
-        .set('Accept', 'application/json')
-        .expect(403)
-        .expect('Content-Type', /json/)
-        .end(function(err, res) {
-          should.not.exist(err);
+        this.runner.securityHandlers = { };
 
-          res.body.should.have.properties({
-            code: 'server_error',
-            message: 'no way!'
+        request(this.app)
+          .get('/hello_secured')
+          .set('Accept', 'application/json')
+          .expect(403)
+          .expect('Content-Type', /json/)
+          .end(function(err, res) {
+            should.not.exist(err);
+
+            res.body.should.have.properties({
+              code: 'server_error',
+              message: 'Unknown security handler: api_key'
+            });
+
+            done();
           });
+      });
 
-          done();
-        });
-    });
+      it('should deny when swagger-tools handler denies', function(done) {
 
-    it('should allow when swagger-tools handler accepts', function(done) {
+        this.runner.securityHandlers = {
+          api_key: function(req, secDef, key, cb) {
+            cb(new Error('no way!'));
+          }
+        };
 
-      this.runner.securityHandlers = {
-        api_key: function(req, secDef, key, cb) {
-          cb();
-        }
-      };
+        request(this.app)
+          .get('/hello_secured')
+          .set('Accept', 'application/json')
+          .expect(403)
+          .expect('Content-Type', /json/)
+          .end(function(err, res) {
+            should.not.exist(err);
 
-      request(this.app)
-        .get('/hello_secured')
-        .set('Accept', 'application/json')
-        .expect(200)
-        .expect('Content-Type', /json/)
-        .end(function(err, res) {
-          should.not.exist(err);
-          res.body.should.eql('Hello, stranger!');
+            res.body.should.have.properties({
+              code: 'server_error',
+              message: 'no way!'
+            });
 
-          done();
-        });
+            done();
+          });
+      });
+
+      it('should allow when swagger-tools handler accepts', function(done) {
+
+        this.runner.securityHandlers = {
+          api_key: function(req, secDef, key, cb) {
+            cb();
+          }
+        };
+
+        request(this.app)
+          .get('/hello_secured')
+          .set('Accept', 'application/json')
+          .expect(200)
+          .expect('Content-Type', /json/)
+          .end(function(err, res) {
+            should.not.exist(err);
+            res.body.should.eql('Hello, stranger!');
+
+            done();
+          });
+      });
     });
   });