lukeautry · WoH · May 7, 2020 · May 6, 2020 · May 6, 2020
diff --git a/src/decorators/security.ts b/src/decorators/security.ts
@@ -1,3 +1,12 @@
+/**
+ * Can be used to indicate that a method requires no security.
+ */
+export function NoSecurity(): Function {
+  return () => {
+    return;
+  };
+}
+
 /**
  * @param {name} security name from securityDefinitions
  */

diff --git a/src/metadataGeneration/controllerGenerator.ts b/src/metadataGeneration/controllerGenerator.ts
@@ -79,7 +79,13 @@ export class ControllerGenerator {
   }
 
   private getSecurity(): Tsoa.Security[] {
+    const noSecurityDecorators = getDecorators(this.node, identifier => identifier.text === 'NoSecurity');
     const securityDecorators = getDecorators(this.node, identifier => identifier.text === 'Security');
+
+    if (noSecurityDecorators?.length) {
+      throw new GenerateMetadataError(`NoSecurity decorator is unnecessary in '${this.node.name!.text}' class.`);
+    }
+
     if (!securityDecorators || !securityDecorators.length) {
       return [];
     }

diff --git a/src/metadataGeneration/methodGenerator.ts b/src/metadataGeneration/methodGenerator.ts
@@ -217,7 +217,21 @@ export class MethodGenerator {
   }
 
   private getSecurity(): Tsoa.Security[] {
+    const noSecurityDecorators = this.getDecoratorsByIdentifier(this.node, 'NoSecurity');
     const securityDecorators = this.getDecoratorsByIdentifier(this.node, 'Security');
+
+    if (noSecurityDecorators?.length > 1) {
+      throw new GenerateMetadataError(`Only one NoSecurity decorator allowed in '${this.getCurrentLocation}' method.`);
+    }
+
+    if (noSecurityDecorators?.length && securityDecorators?.length) {
+      throw new GenerateMetadataError(`NoSecurity decorator cannot be used in conjunction with Security decorator in '${this.getCurrentLocation}' method.`);
+    }
+
+    if (noSecurityDecorators?.length) {
+      return [];
+    }
+
     if (!securityDecorators || !securityDecorators.length) {
       return this.parentSecurity || [];
     }

diff --git a/tests/fixtures/controllers/noSecurityController.ts b/tests/fixtures/controllers/noSecurityController.ts
@@ -0,0 +1,30 @@
+import { Get, Request, Response, Route, Security, NoSecurity } from '../../../src';
+import { ErrorResponseModel, UserResponseModel } from '../../fixtures/testModel';
+
+interface RequestWithUser {
+  user?: any;
+}
+
+@Security('tsoa_auth', ['write:pets', 'read:pets'])
+@Route('NoSecurityTest')
+export class NoSecurityTestController {
+  @Response<ErrorResponseModel>('default', 'Unexpected error')
+  @Security('api_key')
+  @Get()
+  public async GetWithApi(@Request() request: RequestWithUser): Promise<UserResponseModel> {
+    return Promise.resolve(request.user);
+  }
+
+  @Response<ErrorResponseModel>('404', 'Not Found')
+  @Get('Oauth')
+  public async GetWithImplicitSecurity(@Request() request: RequestWithUser): Promise<UserResponseModel> {
+    return Promise.resolve(request.user);
+  }
+
+  @Response<ErrorResponseModel>('404', 'Not Found')
+  @Get('Anonymous')
+  @NoSecurity()
+  public async GetWithNoSecurity(@Request() request: RequestWithUser): Promise<UserResponseModel> {
+    return Promise.resolve(request.user);
+  }
+}
diff --git a/tests/unit/swagger/pathGeneration/noSecurityRoutes.spec.ts b/tests/unit/swagger/pathGeneration/noSecurityRoutes.spec.ts
@@ -0,0 +1,45 @@
+import { expect } from 'chai';
+import 'mocha';
+import { MetadataGenerator } from '../../../../src/metadataGeneration/metadataGenerator';
+import { SpecGenerator2 } from '../../../../src/swagger/specGenerator2';
+import { getDefaultExtendedOptions } from '../../../fixtures/defaultOptions';
+import { VerifyPath } from '../../utilities/verifyPath';
+
+describe('NoSecurity route generation', () => {
+  const metadata = new MetadataGenerator('./tests/fixtures/controllers/noSecurityController.ts').Generate();
+  const spec = new SpecGenerator2(metadata, getDefaultExtendedOptions()).GetSpec();
+
+  it('should generate a route with a named security', () => {
+    const path = verifyPath('/NoSecurityTest');
+
+    if (!path.get) {
+      throw new Error('No get operation.');
+    }
+
+    expect(path.get.security).to.deep.equal([{ api_key: [] }]);
+  });
+
+  it('should generate a route with scoped security', () => {
+    const path = verifyPath('/NoSecurityTest/Oauth');
+
+    if (!path.get) {
+      throw new Error('No get operation.');
+    }
+
+    expect(path.get.security).to.deep.equal([{ tsoa_auth: ['write:pets', 'read:pets'] }]);
+  });
+
+  it('should generate a route with no security', () => {
+    const path = verifyPath('/NoSecurityTest/Anonymous');
+
+    if (!path.get) {
+      throw new Error('No get operation.');
+    }
+
+    expect(path.get.security).to.deep.equal([]);
+  });
+
+  function verifyPath(route: string, isCollection?: boolean) {
+    return VerifyPath(spec, route, path => path.get, isCollection, false, '#/definitions/UserResponseModel');
+  }
+});