add security requirement scopes for some operations

src/c3nav/editor/newapi/endpoints.py

@@ -26,7 +26,8 @@ editor_api_router = APIRouter(tags=["editor"], auth=APITokenAuth(permissions={"e
 
 
 @editor_api_router.get('/bounds/', summary="Get editor map boundaries",
-                       response={200: BoundsSchema, **auth_permission_responses})
+                       response={200: BoundsSchema, **auth_permission_responses},
+                       openapi_extra={"security": [{"APITokenAuth": ["editor_access"]}]})
 @newapi_etag()
 def bounds():
     return {
@@ -35,7 +36,8 @@ def bounds():
 
 
 @editor_api_router.get('/geometrystyles/', summary="get the default colors for each geometry type",
-                       response={200: GeometryStylesSchema, **auth_permission_responses})
+                       response={200: GeometryStylesSchema, **auth_permission_responses},
+                       openapi_extra={"security": [{"APITokenAuth": ["editor_access"]}]})
 @newapi_etag(permissions=False)
 def geometrystyles():
     return {
@@ -61,7 +63,8 @@ def geometrystyles():
 
 @editor_api_router.get('/geometries/space/{space_id}/', summary="get the geometries to display for a space",
                        response={200: list[EditorSpaceGeometriesElemSchema], **API404.dict(),
-                                 **auth_permission_responses})
+                                 **auth_permission_responses},
+                       openapi_extra={"security": [{"APITokenAuth": ["editor_access"]}]})
 @newapi_etag()  # todo: correct?
 def space_geometries(space_id: EditorID, update_cache_key: UpdateCacheKey = None):
     """
@@ -72,7 +75,8 @@ def space_geometries(space_id: EditorID, update_cache_key: UpdateCacheKey = None
 
 @editor_api_router.get('/geometries/level/{level_id}/', summary="get the geometries to display for a level",
                        response={200: list[EditorLevelGeometriesElemSchema], **API404.dict(),
-                                 **auth_permission_responses})
+                                 **auth_permission_responses},
+                       openapi_extra={"security": [{"APITokenAuth": ["editor_access"]}]})
 @newapi_etag()  # todo: correct?
 def level_geometries(level_id: EditorID, update_cache_key: UpdateCacheKey = None):
     """
@@ -85,7 +89,8 @@ def level_geometries(level_id: EditorID, update_cache_key: UpdateCacheKey = None
 
 
 @editor_api_router.get('/{path:path}/', summary="access the editor UI programmatically",
-                       response={200: dict, **API404.dict(), **auth_permission_responses})
+                       response={200: dict, **API404.dict(), **auth_permission_responses},
+                       openapi_extra={"security": [{"APITokenAuth": ["editor_access"]}]})
 @newapi_etag()  # todo: correct?
 def view_as_api(path: str):
     """
@@ -98,7 +103,8 @@ def view_as_api(path: str):
 
 
 @editor_api_router.post('/{path:path}/', summary="access the editor UI programmatically",
-                        response={200: dict, **API404.dict(), **auth_permission_responses})
+                        response={200: dict, **API404.dict(), **auth_permission_responses},
+                        openapi_extra={"security": [{"APITokenAuth": ["editor_access", "write"]}]})
 @newapi_etag()  # todo: correct?
 def view_as_api(path: str):
     """

src/c3nav/mesh/newapi.py

@@ -72,14 +72,16 @@ class FirmwareSchema(Schema):
 
 
 @mesh_api_router.get('/firmwares/', summary="List available firmwares",
-                     response={200: list[FirmwareSchema], **validate_responses, **auth_responses})
+                     response={200: list[FirmwareSchema], **validate_responses, **auth_responses},
+                     openapi_extra={"security": [{"APITokenAuth": ["mesh_control", "write"]}]})
 @paginate
 def firmware_list(request):
     return FirmwareVersion.objects.all()
 
 
 @mesh_api_router.get('/firmwares/{firmware_id}/', summary="Get specific firmware",
-                     response={200: FirmwareSchema, **API404.dict(), **auth_responses})
+                     response={200: FirmwareSchema, **API404.dict(), **auth_responses},
+                     openapi_extra={"security": [{"APITokenAuth": ["mesh_control", "write"]}]})
 def firmware_by_id(request, firmware_id: int):
     try:
         return FirmwareVersion.objects.get(id=firmware_id)
@@ -90,11 +92,14 @@ def firmware_by_id(request, firmware_id: int):
 @mesh_api_router.get('/firmwares/{firmware_id}/{variant}/image_data',
                      summary="Get header data of firmware build image",
                      response={200: FirmwareImage.schema, **API404.dict(), **auth_responses},
-                     openapi_extra={"externalDocs": {
-                         'description': "esp-idf documentation",
-                         'url': "https://docs.espressif.com/projects/esptool/en/latest/esp32s3/"
-                                "advanced-topics/firmware-image-format.html"
-                     }})
+                     openapi_extra={
+                         "externalDocs": {
+                             'description': 'esp-idf docs',
+                             'url': "https://docs.espressif.com/projects/esp-idf/en/latest/esp32/"
+                                    "api-guides/build-system.html#build-system-metadata"
+                         },
+                         "security": [{"APITokenAuth": ["mesh_control"]}]
+                     })
 def firmware_build_image(request, firmware_id: int, variant: str):
     try:
         build = FirmwareBuild.objects.get(version_id=firmware_id, variant=variant)
@@ -106,11 +111,14 @@ def firmware_build_image(request, firmware_id: int, variant: str):
 @mesh_api_router.get('/firmwares/{firmware_id}/{variant}/project_description',
                      summary="Get project description of firmware build",
                      response={200: dict, **API404.dict(), **auth_responses},
-                     openapi_extra={"externalDocs": {
-                         'description': 'esp-idf docs',
-                         'url': "https://docs.espressif.com/projects/esp-idf/en/latest/esp32/"
-                                "api-guides/build-system.html#build-system-metadata"
-                     }})
+                     openapi_extra={
+                         "externalDocs": {
+                             'description': 'esp-idf docs',
+                             'url': "https://docs.espressif.com/projects/esp-idf/en/latest/esp32/"
+                                    "api-guides/build-system.html#build-system-metadata"
+                         },
+                         "security": [{"APITokenAuth": ["mesh_control"]}]
+                     })
 def firmware_project_description(request, firmware_id: int, variant: str):
     try:
         return FirmwareBuild.objects.get(version_id=firmware_id, variant=variant).firmware_description
@@ -147,7 +155,8 @@ class UploadFirmwareSchema(Schema):
 @mesh_api_router.post(
     '/firmwares/upload', summary="Upload firmware",
     description="your OpenAPI viewer might not show it: firmware_data is UploadFirmware as json",
-    response={200: FirmwareSchema, **validate_responses, **auth_permission_responses, **APIConflict.dict()}
+    response={200: FirmwareSchema, **validate_responses, **auth_permission_responses, **APIConflict.dict()},
+    openapi_extra={"security": [{"APITokenAuth": ["mesh_control", "write"]}]}
 )
 def firmware_upload(request, firmware_data: UploadFirmwareSchema, binary_files: list[UploadedFile]):
     binary_files_by_name = {binary_file.name: binary_file for binary_file in binary_files}
@@ -216,7 +225,8 @@ class NodeMessageSchema(Schema):
 
 @mesh_api_router.get(
     '/messages/', summary="query recorded mesh messages",
-    response={200: list[NodeMessageSchema], **auth_permission_responses}
+    response={200: list[NodeMessageSchema], **auth_permission_responses},
+    openapi_extra={"security": [{"APITokenAuth": ["mesh_control"]}]}
 )
 @paginate
 def messages_list(request, filters: Query[MessagesFilter]):