Add default security to all endpoints

[lieutdan13]

@karec I was able to find a solution to the issue with Swagger not sending the bearer token. As you suggested, I enabled jwt for all endpoints. /auth/login already had security: [] added.

[lieutdan13]

@karec It appears that Marshmallow SqlAlchemy no longer supports Python 3.5 in the latest version. There are a few ways to resolve this.

• You could remove support for Python 3.5
• You could pin Marshmallow SqlAlchemy to a version below the latest.
  • When I do this, the build fails for another reason.

[lieutdan13]

Ok. @karec I've fixed the dependencies to work with Python 3.5. I can open a different PR to address the issue separately if you wish. Let me know.

[lieutdan13]

Fixes #22

[karec]

@lieutdan13 Thanks for your PR !

For python version, I think dropping python 3.5 support is doable, this project is a boilerplate to start APIs, not a library, so we should encourage using latest python version as much as we can and python 3.8 is out. But don't worry too much about it, pining dependencies for this pull request is OK, I'll take care of updating travis-ci configuration.

I'll do the code review ASAP for the remaining part

[karec]

Since we're in the extension code here, what do you think of passing **kwargs to init_app (and __init__ by extension) instead of setting it directly in the code ? That will require an extra setting to pass on app factory but will allow users to update it directly in app factory instead of updating extension code if they decide to switch from jwt to oauth for example.

Then we can pass our **kwargs to APISpec, this will also allow users to update more settings if required

[lieutdan13]

Sure! I can do that. I can also add security_type as an option to #24 and allow the user to choose.

Something like this?

    def __init__(self, app=None, **kwargs):
        self.spec = None
        if app is not None:
            self.init_app(app, **kwargs)

    def init_app(self, app, **kwargs):
        ...
        self.spec = APISpec(
            title=app.config["APISPEC_TITLE"],
            version=app.config["APISPEC_VERSION"],
            openapi_version=app.config["OPENAPI_VERSION"],
            plugins=[MarshmallowPlugin(), FlaskRestfulPlugin()],
            security=kwargs.get('security'),
        )

Then in extension.py:

apispec = APISpecExt(security=[{"jwt": []}])

[karec]

Letting users choose their security_type may conflict with how authentication is implemented actually, but since we declare security scheme in app factory, it makes more sense to only have to update it in one place.

For **kwargs we could also forward them all to APISpec:

    def __init__(self, app=None, **kwargs):
        self.spec = None
        if app is not None:
            self.init_app(app, **kwargs)

    def init_app(self, app, **kwargs):
        ...
        self.spec = APISpec(
            title=app.config["APISPEC_TITLE"],
            version=app.config["APISPEC_VERSION"],
            openapi_version=app.config["OPENAPI_VERSION"],
            plugins=[MarshmallowPlugin(), FlaskRestfulPlugin()],
            **kwargs
        )

So it will allow us to pass any other top-level key at app factory level (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md#openapi-object) and (https://apispec.readthedocs.io/en/latest/api_core.html#apispec.APISpec)

And then in app.py

def configure_apispec(app):
    """Configure APISpec for swagger support
    """
    apispec.init_app(app, security=[{"jwt": []}])
    apispec.spec.components.security_scheme("jwt", {
        "type": "http",
        "scheme": "bearer",
        "bearerFormat": "JWT",
    })
    apispec.spec.components.schema(
        "PaginatedResult", {
            "properties": {
                "total": {"type": "integer"},
                "pages": {"type": "integer"},
                "next": {"type": "string"},
                "prev": {"type": "string"},
            }})

[lieutdan13]

Got it. I'll push up a change soon.

[lieutdan13]

All changes requested have been made.

[karec]

@lieutdan13 Thanks again for this PR ! I'm merging it right now