Question: arguments-aware authorization possible?

[ondrejpar]

Hi, I have a controller similar to this:

@Route('/api')
class PetshopController extends Controller {
  @Get('/{shopId}/pets')
  getPets(@Query() shopId: string) { ... }
  @Post('/{shopId}/pets')
  addPet(@Query() shopId: string) { ... }
  ...ten more methods that use shopId
}

I need to verify (authorize) that caller can access the shop identified by shopId. The authorization is quite complex and involves database.

I can add await authorizeShopAccess(shopId) to the beginning of every method, but is there a way to write this only once? As far as I can tell, the middlewares don't have access to path parameters (or arguments in general) and @Security only handles authentication, not authorization.

Sorting

• I'm submitting a ...

  • bug report
  • feature request
  • support request

• I confirm that I

  • used the search to make sure that a similar issue hasn't already been submit

[github-actions]

Hello there ondrejpar 👋

Thank you for opening your very first issue in this project.

We will try to get back to you as soon as we can.👀

[WoH]

the middlewares don't have access to path parameters (or arguments in general)

But the request object

[ondrejpar]

@WoH well, yes, but I would have to parse the path again and keep patterns in sync at two different places - not DRY.

[WoH]

Then you probably want your own Decorator.
(Albeit lose the OpenAPI response docs)

[ondrejpar]

Did that and works perfectly. I created my own Authorizer (the code is a bit complex for Typescript 4, I think it could be simplified for Typescript 5) which uses Proxy to intercept all calls to the annotated class and performs authorization. In fact, it's all completely independent on TSOA.
Thanks for help.