Hello everyone,
I’ve just pushed a small but important breaking change in Oaskit v0.10 around security handling.
From now on, Oaskit.Plugs.ValidateRequest will always call the configured :security plug, even for operations that don’t define any security requirements. This makes it much easier to implement a “deny by default” policy: your security plug now sees every request and can decide whether a route with security: nil should be considered public or rejected.
This helps to avoid the case when there is no global security definition, and you forgot to define security on an operation.
You will need to handle nil security after upgrading to v0.10. Sorry for the inconvenience!
If you don’t have a :security plug configured, the behaviour is unchanged and unsecured routes remain accessible.
I’ve given slightly more details here Security changes in v0.10 — oaskit v0.10.0
This is the only change for that new version.
Cheers!
