Headers only defined in security scheme are removed from the request

[cpetrov]

Custom headers used to describe a security scheme get removed from the request if only the security scheme is referenced, e.g.:

securitySchemes:
  - custom_auth:
      type: x-custom-auth
      describedBy:
        headers:
          Custom-Token:
            type: string
...

/foo:
  get: 
    securedBy: [custom_auth]

In this example the custom-token header is stripped from the request. This works:

securitySchemes:
  - custom_auth:
      type: x-custom-auth
      describedBy:
        headers:
          Custom-Token:
            type: string
...

/foo:
  get: 
    securedBy: [custom_auth]
    headers:
      Custom-Token:
        type: string

One would expect security headers to be recognised from the scheme and not to be stripped from the request. Declaring them for each entry point is redundant.

[blakeembrey]

That's a great catch, thanks! 👍 I'll be sure to fix it. A quick question on this - could you make use of the security layer here? I'd love a little more context on the usage of the header in the application (if it's aside from authentication).

[cpetrov]

In my case no - the token was only delegated to another service.

[sallespro]

hi, i am having a problem authenticating with passport-jwt following @gciatto 's approach as shown in #102

would it be a victim of the header removal as well !?

i noticed in passport's strategy verify function the token payload is received in the request, but seems to be unauthorized funrther along the middleware, in Osprey.

[jstoiko]

@cpetrov: #160 should address your issue.