Add authorization

[ValentinFutterer]

Added the security schema BearerAuth and activated it globally (for every endpoint).
I added no bearerFormat, since I assume that every tool would use different token types (e.g. DAMAP would use JWTs). Other options is to fixate on a single Format but that would need to be discussed

Closes #6

[xiaoranzhou]

from copilot:
Yes, the changes in your diff follow OpenAPI standards.

What was changed:

1. Added Security Requirement at the Root Level

   security:
     - BearerAuth: []

   • OpenAPI Standard: The security field at the root level sets a global security requirement for all endpoints unless overridden at the operation level.
   • Reference: OpenAPI Specification: Security Requirement Object

2. Added Security Scheme under components.securitySchemes

   securitySchemes:
     BearerAuth:
       type: http
       scheme: bearer

   • OpenAPI Standard: Under components.securitySchemes, you define security schemes used in the API.
   • Reference: OpenAPI Specification: Security Scheme Object
   • type: http and scheme: bearer are the correct values for bearer token (usually JWT) authentication.

Summary

• The new fields are valid according to the OpenAPI 3.x specification.
• Your syntax and structure are correct for declaring and using bearer authentication.

Result:
Your changes comply with OpenAPI standards. If you want to make it explicit that you are using JWT, you can add bearerFormat: JWT, but it is optional:

securitySchemes:
  BearerAuth:
    type: http
    scheme: bearer
    bearerFormat: JWT

[briri]

This looks good @ValentinFutterer. I like that you have defined it at the global level. Most endpoints (and future endpoints) will require authorization.

Do we want to provide overrides though for GET /dmps/{id} and GET /dmps so that DMP metadata can be fetched publicly without a token? My tool has the concept of public and private DMPs. It would of course be up to the tool to determine whether or not an unauthenticated caller can access the data

For example:

  /dmps/{id}:
    get:
      security:
        - {}              # allows unauthenticated access
        - BearerAuth: []  # also allows authenticated access

[ValentinFutterer]

Do we want to provide overrides though for GET /dmps/{id} and GET /dmps so that DMP metadata can be fetched publicly without a token? My tool has the concept of public and private DMPs. It would of course be up to the tool to determine whether or not an unauthenticated caller can access the data

For example:

  /dmps/{id}:
    get:
      security:
        - {}              # allows unauthenticated access
        - BearerAuth: []  # also allows authenticated access

I would advise against it, since to my understanding, code generators would produce only one unauthorized endpoint in this case. Depends on if others also need this.