Bug: AbstractSecurityConfig sets security for all paths, even those excluded
Description
The AbstractSecurityConfig adds OpenAPI securityScheme and security entries to the generated spec, but it does so at the root level of the spec, instead of per endpoint.
That is fine, as long as you apply the logic for all endpoints. But it also allows you to exclude certain paths from processing, and yet the security spec will apply for those endpoints, too. That is because it gets defined at the root level of the OpenAPI spec, instead of per path.
A local security will overwrite the global one, but if there's an endpoint without authentication, the security should not be added to the root of the spec as there won't be a local security declaration.
Related thing is that the AbstractAuthenticationMiddleware does not add security or securityScheme to the OpenAPI spec at all. You would kinda expect that it does, similar to FastAPI's SecurityBase inheritors (e.g. https://fastapi.tiangolo.com/tutorial/security/simple-oauth2). You have to separately provide security= in decorators/routers. But that's another thing, I guess.
MCVE
N/A at this point but ping if unclear and I'll add.
Litestar Version
2.4.5
Platform
- Linux
- Mac
- Windows
- Other (Please specify in the description above)
How does funding with Polar work?
Pay now to fund the work behind this issue.
Get updates on progress being made.
Maintainer is rewarded once the issue is completed.
Backer
You're funding impactful open source efforts
Contributor
You want to contribute to this effort
Maintainer
You want to get funding like this too