openapi3filter: don't consume request body in AuthenticatorFunc
#1064
+263
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jamietanna
changed the title
AuthenticatorFuncAuthenticatorFunc
jamietanna
force-pushed
the
defect/body
branch
3 times, most recently
from
d8931da to
40c18e4
Compare
As noted in getkin#743, some users of the `openapi3filter`, largely via `oapi-codegen` and `openapi.tanna.dev/go/validator`[0] are seeing that when using an `AuthenticationFunc`, this can lead to errors such as: request body has an error: value is required but missing Or: request body has an error: reading failed: http: invalid Read on closed Body This turns out to be down to the fact that a call to the `AuthenticationFunc` may read the request body, but due to the way that Go's `io.Reader`s can only be read once, this then means the body cannot be read by anyone else further in the request chain. To resolve this, we can make sure that each iteration of the `AuthenticationFunc` gets a fresh copy of the request body (in its own `io.Reader`). This follows logic that exists within the `ValidateRequestBody` method, with an additional layer of caching the raw bytes from the body. We also add tests to validate: - calling the `ValidateRequest` body function with an `AuthenticationFunc` that reads the request body - using an integration test with a test HTTP server also works, indicating that the HTTP handler can then read the request body itself Closes getkin#743. [0]: https://gitlab.com/jamietanna/httptest-openapi/-/issues/5
Collaborator
|
Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As noted in #743, some users of the
openapi3filter, largely viaoapi-codegenandopenapi.tanna.dev/go/validator0 are seeing thatwhen using an
AuthenticationFunc, this can lead to errors such as:Or:
This turns out to be down to the fact that a call to the
AuthenticationFuncmay read the request body, but due to the way thatGo's
io.Readers can only be read once, this then means the body cannotbe read by anyone else further in the request chain.
To resolve this, we can make sure that each iteration of the
AuthenticationFuncgets a fresh copy of the request body (in its ownio.Reader).This follows logic that exists within the
ValidateRequestBodymethod,with an additional layer of caching the raw bytes from the body.
We also add tests to validate:
ValidateRequestbody function with anAuthenticationFuncthat reads the request bodyindicating that the HTTP handler can then read the request body itself
Closes #743.