[BUG] Security path inputs always goes before regular input segments about tapir HOT 3 OPEN

This works as designed:

Any security inputs are decoded first, before regular inputs.

Maybe you can share the use-case of not having the security segment as the first ones, and maybe we can find another solution to the problem?

from tapir.

@adamw thank you for the clarification.
The problematic scenario is related to the authorization in the multi-tenancy service.
I will tackle the issue of declaring security path parameters as regular ones and share authorization logic between the endpoints. But it's not so clear solution, because security logic will leak to the service logic.

The example:
Let's take an OCPI protocol token interface as an example:
https://github.com/ocpi/ocpi/blob/master/mod_tokens.asciidoc#12-interfaces-and-endpoints

Endpoint structure definition:
{token_endpoint_url}/{country_code}/{party_id}/{token_uid}[?type={type}]
Example:
https://www.server.com/ocpi/cpo/2.2.1/tokens/NL/TNM/012345678

Authorization should check if a bearer is allowed to conduct actions for {country_code}/{party_id}. So we need to extract those two segments - NL/TNM in the example.
If we could extract those two segments to security logic we could have authentication and authorization enclosed in security scope.
Now we need to share the authorization code between GET/PUT/PATCH service logics.
This is not so uncommon pattern in authorization.

from tapir.

Ah ok, I see. In this situation, yes, you'll need to extract all path parameters that come before whatever you need in the security logic and make them pass-through, that is part of the security logic's output.

I think there were some downsides of having order-dependent decoding (it would probably complicate the data structure that represents an endpoint), but I agree that it's not always ideal.

from tapir.