Making the OpenAPI docs only available to authenticated users

[scott2b]

I am wondering if there is a known approach to making the docs private. I tried creating a subclass of OpenAPIController with guards specified, but this approach did not seem to work for me. The guard I am using works for other controllers, but when applied to the OpenAPIController, there is an issue with the guard trying to access "auth" in scope that is not there for some reason.

I am open to other approaches, but for the sake of discussion, here is what I have:

The error when trying to access any of the schema endpoints:

raise ImproperlyConfiguredException("'auth' is not defined in scope, install an AuthMiddleware to set it")
litestar.exceptions.http_exceptions.ImproperlyConfiguredException: 500: 'auth' is not defined in scope, install an AuthMiddleware to set it

What I did to get here:

from litestar.openapi import OpenAPIController

class CustomDocController(OpenAPIController):
    guards = [requires(ClientAuthorizations.API)]
    middleware = [session_auth.middleware] # I've tried it with and without this specified. Same error

openapi_controller = CustomDocController

That controller is specified in the OpenAPI config, and then:

app = Litestar(
    ...
    on_app_init=[session_auth.on_app_init],
    openapi_config=openapi_config,
)

It may be worth noting that session_auth is a SessionAuth that uses a custom middleware subclassed from SessionAuthMiddleware, but it is working otherwise.

Also, here is the guard:

def requires(auth):
    def client_guard(
        connection: ASGIConnection, _: BaseRouteHandler
    ) -> None:
        if not auth in connection.auth: # <-- this is raising: 'auth' is not defined in scope, although this works for other controllers
            raise NotAuthorizedException
    return client_guard

Again, maybe there is just a standard way to do this and I can chuck all of the above. Otherwise, any thoughts on going about troubleshooting this would be much appreciated.

Thanks!

[scott2b]

It turns out that I had "/schema" as an exclude path on my SessionAuth instance. I removed that and my approach above now seems to be working. The gist of it is simply to subclass OpenAPIController and provide it with whatever guards you would normally use on a controller for your authentication approach:

from litestar.openapi import OpenAPIController

class CustomDocController(OpenAPIController):
    guards = [myguard]

Then specify that as the openapi_controller on the OpenAPIConfig.

[Numerlor]

For anyone searching, the custom controller option is getting deprecated, but you can define a custom router with openapi_router in the openapi config and pass guards/middlware there, e.g.

openapi_router=Router("/schema", route_handlers=[], middleware=[AuthMiddleware])