Merge pull request #222 from trojs/feature/access-forbidden

Feature/access forbidden
trojs · Nov 27, 2024 · 8237089 · 8237089
2 parents 4b2fced + 7f21dca
commit 8237089
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -92,11 +92,21 @@ const securityHandlers = [
   }
 ]
 
+const unauthorizedHandler = async (context, request, response) => {
+    response.status(401)
+    return {
+        status: 401,
+        timestamp: new Date(),
+        message: 'Unauthorized'
+    }
+}
+
 const api = new Api({
   version: 'v1',
   specification: openAPISpecification,
   controllers,
-  securityHandlers
+  securityHandlers,
+  unauthorizedHandler
 })
 ```
 

diff --git a/src/api.js b/src/api.js
@@ -23,6 +23,7 @@ import { setupRouter } from './router.js'
  * @property {Logger=} logger
  * @property {object=} meta
  * @property {SecurityHandler[]=} securityHandlers
+ * @property {Handler=} unauthorizedHandler
  * @property {boolean=} swagger
  * @property {boolean=} apiDocs
  * @property {AjvOpts=} ajvOptions
@@ -49,6 +50,7 @@ export class Api {
         logger,
         meta,
         securityHandlers,
+        unauthorizedHandler,
         swagger,
         apiDocs,
         ajvOptions
@@ -62,6 +64,7 @@ export class Api {
         this.logger = logger || console
         this.meta = meta || {}
         this.securityHandlers = securityHandlers || []
+        this.unauthorizedHandler = unauthorizedHandler || undefined
         this.swagger = swagger ?? true
         this.apiDocs = apiDocs ?? true
         this.ajvOptions = ajvOptions ?? { allErrors: false }
@@ -92,6 +95,7 @@ export class Api {
             logger: this.logger,
             meta: this.meta,
             securityHandlers: this.securityHandlers,
+            unauthorizedHandler: this.unauthorizedHandler,
             ajvOptions: this.ajvOptions
         })
         api.init()

diff --git a/src/router.js b/src/router.js
@@ -10,6 +10,7 @@ import { unauthorized } from './handlers/unauthorized.js'
 /**
  * @typedef {import('./api.js').Logger} Logger
  * @typedef {import('./api.js').SecurityHandler} SecurityHandler
+ * @typedef {import('./api.js').Handler} Handler
  * @typedef {import('ajv').Options} AjvOpts
  */
 
@@ -24,6 +25,7 @@ import { unauthorized } from './handlers/unauthorized.js'
  * @param {Logger=} params.logger
  * @param {object=} params.meta
  * @param {SecurityHandler[]=} params.securityHandlers
+ * @param {Handler=} params.unauthorizedHandler
  * @param {AjvOpts=} params.ajvOptions
  * @param {boolean=} params.mock
  * @returns {{ api: OpenAPIBackend<any>, openAPISpecification: object }}
@@ -37,6 +39,7 @@ export const setupRouter = ({
     logger,
     meta,
     securityHandlers = [],
+    unauthorizedHandler,
     ajvOptions = {},
     mock
 }) => {
@@ -52,7 +55,7 @@ export const setupRouter = ({
     })
 
     api.register({
-        unauthorizedHandler: unauthorized,
+        unauthorizedHandler: unauthorizedHandler || unauthorized,
         validationFail: requestValidation,
         notFound,
         postResponseHandler: responseValidation

diff --git a/src/server.test.js b/src/server.test.js
@@ -64,12 +64,22 @@ const securityHandlers = [
         handler: customHandler
     }
 ]
+
+const unauthorizedHandler = async (_context, _request, response) => {
+    response.status(403)
+    return {
+        status: 403,
+        timestamp: new Date(),
+        message: 'Unauthorized'
+    }
+}
 const api = new Api({
     version: 'v1',
     specification: openAPISpecification,
     controllers,
     secret: envExample.SECRET,
     securityHandlers,
+    unauthorizedHandler,
     ajvOptions: { allErrors: true }
 })
 const { app } = await setupServer({
@@ -111,19 +121,19 @@ test('Test the server', async (t) => {
     )
 
     await t.test(
-        'It should response with a 401 message if you forgot the secret in the header',
+        'It should response with a 403 message if you forgot the secret in the header',
         async () => {
             const response = await request.get('/v1/messages')
 
-            assert.strictEqual(response.status, 401)
+            assert.strictEqual(response.status, 403)
             assert.deepEqual(
                 {
                     message: response.body.message,
                     status: response.body.status
                 },
                 {
                     message: 'Unauthorized',
-                    status: 401
+                    status: 403
                 }
             )
         }
@@ -219,13 +229,13 @@ test('Test the server', async (t) => {
     )
 
     await t.test(
-        'It should return 401 with the wrong secret for the custom security handler',
+        'It should return 403 with the wrong secret for the custom security handler',
         async () => {
             const response = await request
                 .get('/v1/user-secure')
                 .set('authorization', 'not-the-secret')
 
-            assert.strictEqual(response.status, 401)
+            assert.strictEqual(response.status, 403)
         }
     )
 })