-
Notifications
You must be signed in to change notification settings - Fork 761
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie parameters and authorization #1163
Comments
This comment has been minimized.
This comment has been minimized.
If the API doc and the API endpoint are on the same origin, setting cookies with |
@shockey, is there any progress on this issue? |
Same here. I had to add the "header auth" to get the "local login" done 🥲, even though it's not a very good practice. |
amazing how this issue is still alive, my swagger doesnt send header |
I faced the same problem. I need to pass header Cookie to backed ... |
As an alternative solution setting withCredentials: true worked perfectly for my use case. https://swagger.io/docs/open-source-tools/swagger-ui/usage/configuration/#withCredentials
So each time I make a request to /app/auth/login or /app/auth/register a http-only same-site cookie is stored by the browser and then it will be appended to each following request (so this approach avoids setting the authorization Swagger UI field) |
Will anything be done to fix this? |
Hi everybody, IMHO this is not something that is fixable. From security reasons it is just not technically possible to set the swagger-jsI'll start with Basic example using low-level swagger-js http clientGiven that
SameSite and Secure flags must be send so that following request will relay the cookie during the request. const response = await SwaggerClient.http({
url: <request-url>,
credentials: 'include',
}); Basic example of swagger-js HTTP client for OAS operationsGiven that
SameSite and Secure flags must be send so that following request will relay the cookie during the request. const pojoDefinition = {
"openapi": "3.0.0",
"info": {
"title": "Testing API",
"version": "1.0.0"
},
"components": {
"schemas": {
"user": {
"properties": {
"id": {
"type": "integer"
}
}
}
},
"securitySchemes": {
"BasicAuth": {
"type": "http",
"scheme": "basic"
},
"ApiKey": {
"type": "apiKey",
"in": "header",
"name": "X-API-KEY"
},
"BearerAuth": {
"type": "http",
"scheme": "bearer"
},
"oAuth2": {
"type": "oauth2",
"flows": {
"implicit": {
"authorizationUrl": "https://api.example.com/oauth2/authorize",
"scopes": {
"read": "authorize to read"
}
}
}
}
}
},
"servers": [
{
"url": "https://httpbin.org"
}
],
"paths": {
"/get": {
"get": {
"operationId": "getUserList",
"description": "Get list of users",
"security": [
{
"BasicAuth": [],
"BearerAuth": [],
"ApiKey": [],
"oAuth2": []
}
],
"parameters": [
{
"name": "q",
"in": "query",
"description": "search query parameter",
"schema": {
"type": "array",
"items": {
"type": "string"
}
},
"style": "pipeDelimited",
"explode": false
}
],
"responses": {
"200": {
"description": "List of users",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/user"
}
}
}
}
}
}
}
}
};
SwaggerClient.http.withCredentials = true;
const response = await SwaggerClient.execute({
spec: pojoDefinition,
operationId: 'getUserList',
parameters: { q: 'search string' },
}); Basic example of SwaggerUI +
|
Do you happen to have any updates regarding this issue? |
Any progress ? 🧐 |
Why cant document.cookie be used by swagger? |
Hi @ibrahim-ajarmeh, @plefebvre91 Did you manage to look at #1163 (comment)? |
@dreamfalcon can you elaborate in detail how that would work? I've already described how to use
window.ui = SwaggerUIBundle({
url: "https://petstore.swagger.io/v2/swagger.json",
dom_id: '#swagger-ui',
deepLinking: true,
presets: [
SwaggerUIBundle.presets.apis,
SwaggerUIStandalonePreset
],
plugins: [
SwaggerUIBundle.plugins.DownloadUrl
],
layout: "StandaloneLayout",
withCredentials: true,
}); This allows to create cookie from JavaScript using Now using the above mentioned solution doesn't work for different origin requests. As mentioned multiple times before, because of browser security limitations you cannot create a cookie using MDN: https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie#write_a_new_cookie Cookie must be created by the server in the browser in order for SwaggerUI to resend the cookie when |
If I manually set document.cookie it works. |
@dreamfalcon all right, so we're talking about SwaggerUI specifically here, not swagger-client (this repo). Yes, in that case we can do what you suggest. We could modify |
Hi Guys, requestInterceptor:
(request) => {
request.credentials = 'include'
return request;
}, |
Currently, cookie parameters and authorizations fail to be applied in the browser, though it succeeds in Node. This is due to the fact that browsers bar applications from setting or mutating the
Cookie
request header arbitrarily(citation needed), while Node doesn't particularly care what you do with the header.swagger-js/src/execute/oas3/parameter-builders.js
Line 118 in a864beb
Here's some solutions that I came up with for Client/UI/Editor.
Possible solutions
document.cookie
to set the page's cookie content, send those cookies to another origin withfetch({ withCredentials: 'include' })
, then put the original cookies back.This approach would work, but it's quite hacky, and could cause problems for complex applications that use our library. It would not work in IE or Safari, since they don't support
withCredentials
, which is bad.This would only be needed when a user wants to use cookie parameters, but would require the user to maintain a server instance in order for their requests to work. (Or we maintain one.)
This is how Postman works.
This could be relatively straightforward: expose a Swagger-Client interface through an extension, and then call that interface instead of the Swagger-Client that comes with distributions of Swagger-UI/Swagger-Editor.
wontfix
for browsers.The text was updated successfully, but these errors were encountered: