Extract scopes from `request.routeOptions.schema.security`

[TastyPi]

Describe the problem you'd like to have solved

If I have an endpoint:

fastify.post("/foo", {
  schema: {
    security: [{Auth0: ["foo"]}]
  },
  preParsing: fastify.requireAuth({ scopes: ["foo"] })
})

It would be nice if requireAuth could automatically extract the scopes from the schema, so I don't have to specify them in two places.

Describe the ideal solution

Maybe something like this:

fastify.post("/foo", {
  schema: {
    security: [{Auth0: ["foo"]}]
  },
  preParsing: fastify.requireAuth({ schema: [0, "Auth0"] })
})

Maybe a global config to allow for just fastify.requireAuth()

Alternatives and current work-arounds

• Deal with the minor duplication
• Define the scopes in a const

Additional context

It's just a nice to have, not a big deal

[frederikprijck]

Hey, great idea.

I would need to figure out how this would make sense the most. Either we need to have the SDK dictate where to find the scopes exactly (and make it configurable), or we use:

fastify.register(() => {
  fastify.get(
    '/api/private',
    {
      schema: {
        security: [{ auth0: ['foo'] }],
      },
      preHandler: fastify.requireAuth({
        scopes: (request) => request.routeOptions.schema.security[0].auth0,
      }),
    },
    async (request: FastifyRequest, reply) => {
      return `Hello, ${request.user.sub}`;
    }
  );
});

This gives you the entire flexibility of where to get the scopes. Which may be a bit too flexible.

[TastyPi]

It would be nice if the route didn't need to call requireAuth at all and just defines the schema. Similar to how JSON schema validation works - the routes define the schema and the validation Just Works.

[frederikprijck]

That is what I mean with:

Either we need to have the SDK dictate where to find the scopes exactly (and make it configurable).

It's one of the possible solutions I think. I think we can:

• Do what I showed above: it would means the SDK doesn't assume anything about where the scopes come from. Least amount of complexity in the SDK, maximum flexibility,
• Do what you propose, and not even have to call requireAuth, but I think that needs a bit more changes and is the more complicated solution.
• Keep using requireAuth({ readScopesFromOpenApi: true }) (or have this be a global config), but then we also need to find a way to tell the SDK where to exactly find the scopes.