Swagger UI latest version support (3.17.3)

[abhinav910]

Overview of the feature request

Swagger UI very old version (2.2.10) is used which does not provide the support for Open API

Motivation for or Use Case

Open API support

[pascalgrimaud]

I don't remember well why we didn't upgrade but there was a reason.

Ping @cbornet as I'm pretty sure you know the answer :-)

[gmarziou]

Even if we updated swagger-ui to 3.17.3, I doubt you would get openapi support because it's not yet supported by Springfox.

[cbornet]

Indeed, Springfox doesn’t support OpenAPI yet. We didn’t migrate to the new UI at the time because there was no easy way to pass the auth token. It seems there are solutions now. But do we want to move to the new UI ? I’m not sure I prefer it over the current one :smile:

[deepu105]

Yes, we didn't migrate since the new version lacked some features which were available in the old version.

Here is the PR where I attempted to upgrade https://github.com/jhipster/generator-jhipster/pull/5645

But then we cant stay with the old version forever and would have to upgrade at some point. If someone can revive the PR and fix the outstanding items it would be great.

Thanks & Regards, Deepu

On Fri, Jul 13, 2018 at 8:51 PM Christophe Bornet notifications@github.com wrote:

Indeed, Springfox doesn’t support OpenAPI yet. We didn’t migrate to the new UI at the time because there was no easy way to pass the auth token. It seems there are solutions now. But do we want to move to the new UI ? I’m not sure I prefer it over the current one 😄

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jhipster/generator-jhipster/issues/7966#issuecomment-404921438, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDlF6KXDPFL7JCZuerynbYwBix-AsdOks5uGOwmgaJpZM4VPK2g .

[PierreBesson]

I am against migrating to swagger UI 3. The UI is awful and does not bring any new features (that I know of). I would rather move to ReDoc to provide API documentation (but the interactive querying is not possible yet).

In the end, we have something that work really well for now. So I'm not so keen on changing things and risk making things worse.

[jdubois]

Following @PierreBesson advice, I'm closing the ticket

[abhinav910]

I guess @deepu105 already did some work for Swagger UI v3. The current UI does not provide the support for Open API json but v3 UI provides the support. I have checked both the version.

I thought jhispter always provide the support for latest version of components. My two cents.

[deepu105]

@abhinav910 as @cbornet highlighted even if we update the UI lib it still wouldn't work since spring fox doesn't support it yet. I think we can do the upgrade once spring fox supports openAPI. Personally, I don't have any issue with the new UI, but it does lack some features compared to the old one.

And we would never support something just coz its new, it needs to be justified as well, in most cases new is better but sadly in this case, new UI doesn't even have some features from the old one

[cbornet]

@abhinav910 Swagger UI is "just" the front-end part. The lib that generates the OpenAPI/Swagger spec is Springfox and it currently doesn't generate OAIv3 specs (see https://github.com/springfox/springfox/issues/2124). As soon as springfox supports OAI, be sure that JHipster will do the upgrade. But for now there's no rush. Also note that the "API first" option already works with OAIv3 specs.

[deepu105]

I guess its time to do this as we have started to get the deprecation warning during yarn install

warning swagger-ui@2.2.10: No longer maintained, please upgrade to swagger-ui@3.

[PierreBesson]

Personally, I still dislike Swagger UI v3. I would prefer to migrate to Redoc: https://github.com/Rebilly/ReDoc Sadly it doesn't yet feature a "try it out" button.

[jdubois]

@PierreBesson Redoc indeed looks cool, I didn't know about it. @cbornet you're the boss here, what do you think is best?

[deepu105]

Try it out is the most important feature else we could even do static docs instead of a living page, and I personally don't think the new UI is bad, its just not as feature rich as the old one. So IMO migration would be the best choice

On Fri, 24 Aug 2018, 10:39 am Julien Dubois, notifications@github.com wrote:

@PierreBesson https://github.com/PierreBesson Redoc indeed looks cool, I didn't know about it. @cbornet https://github.com/cbornet you're the boss here, what do you think is best?

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/jhipster/generator-jhipster/issues/7966#issuecomment-415693241, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDlF4jkBoqP8ZnrT9g6bbhBgoIS6kbIks5uT7uqgaJpZM4VPK2g .

[cbornet]

Yes, it's probably time to migrate. See https://github.com/swagger-api/swagger-ui/issues/2915#issuecomment-376245104 for how to pass the auth token to swagger-ui.

[PierreBesson]

OK let's do it. But we need to take the occasion to try to better integrate the swagger ui into the app (as an angular/react component). And we should make it optional to include it into the front-end assets.

[jdubois]

Yes totally agree! @PierreBesson are you willing to do it? Who is interested?

[jdubois]

I'm adding a bug bounty on this ticket as I think it's important, and there's a significant amount of work

[deepu105]

My old branch with the changes might still be useful, as I figured out few things there already

Thanks & Regards, Deepu

On Wed, Aug 29, 2018 at 11:15 AM Julien Dubois notifications@github.com wrote:

I'm adding a bug bounty https://www.jhipster.tech/bug-bounties/ on this ticket as I think it's important, and there's a significant amount of work

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/jhipster/generator-jhipster/issues/7966#issuecomment-416884035, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDlFwxI2iBoN8FFxj9-C2ByyN6jhPjxks5uVlvGgaJpZM4VPK2g .

[murdos]

Have you considered using the springfox-swagger-ui maven dependency? It still uses Swagger UI 2.x, but it will follow Springfox lifecyle and ability to handle OpenAPI. And it should ease our task by not maintaining our own Swagger UI, no?

[deepu105]

The reason we have our own is the different auth mechanism we support, you have to provide JWT tokens and stuff to use the try it out feature, which I'm not sure you can do with those plugins.

Thanks & Regards, Deepu

On Thu, Nov 22, 2018 at 11:03 AM Aurélien Mino notifications@github.com wrote:

Have you considered using the springfox-swagger-ui maven dependency? It still uses Swagger UI 2.x, but it will follow Springfox lifecyle and ability to handle OpenAPI. And it should ease our task by not maintaining our own Swagger UI, no?

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/jhipster/generator-jhipster/issues/7966#issuecomment-440977396, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDlF7yTQ8v1PXkqURzDyW_VHAOczSR5ks5uxnZZgaJpZM4VPK2g .

[DanielFran]

@cbornet It seems that support for oas-3 is pratically done in https://github.com/springfox/springfox/tree/feature/2022/oas-3-support

[cbornet]

Yes. That's for the backend part and will be part of Springfox 3. This issue is about swagger UI for which we can already migrate.

[edceo]

If you add springfox-swagger-ui in only backend jhipster project, you will reach swaggerUI with http://localhost:8080/swagger-ui.html

[PierreBesson]

Maybe we could consider migrating to RapiDoc (https://mrin9.github.io/RapiDoc/) as I'm not a big fan of Swagger UI v3. ping @cbornet

[jdubois]

I'm doubling the bug bounty here, as this is important and has been stuck for a long time

[DanielFran]

What about using this project: http://springdoc.org

Does it cover all our needs?

@cbornet @ecostanzi @PierreBesson

[cbornet]

Interesting. Seems more like a replacement to Springfox.

[PierreBesson]

At first glance SpringDoc looks like a much less advanced version of Springfox, I don't see how we could extend it to support the various auth schemes that we have. It also seems like it is based on the swagger-ui webjar.

[ecostanzi]

Indeed springfox has many more features. I think it's a little bit early to consider springdoc as a replacement.

Springfox upgrade to openAPI 3 seems to have been almost abandoned . However there's an interesting comment suggesting to use SwaggerConverter to convert v2 specs to openapi specs. It could be a workaround while waiting for springdoc to evolve.

[DanielFran]

I also consider it premature but it seems a good project that is starting and growing quickly.

[flostadler]

I'd like to tackle this issue, any heads up on where to start?

[cbornet]

Yes. Basically what's needed to be done is to update the swagger-ui version in package.json and replace the index.html with the one from the new swagger-ui. Then modify this index.html to include the passing of the auth tokens.

[cbornet]

See https://github.com/swagger-api/swagger-ui/issues/2915#issuecomment-376245104 on how to pass the token.

[cbornet]

Also some configs of the swagger-ui needs to be retreived from the Springfox endpoints. See the current index.html about that.

[ecostanzi]

I'd like to tackle this issue, any heads up on where to start?

You can take a look at this jhipster module: https://github.com/intesys/generator-jhipster-apiutils. Among other things it upgrades swagger UI to version 3 (see the index.js) and does some of the things that are required to work with springfox endpoints. However, this module has few things that are missing / have to be fixed: 1) It works only with JWT 2) uses jquery.

[flostadler]

Ok, thanks! I will give it a go

[DanielFran]

And seems like Springfox 3.0 might be out soon: https://github.com/springfox/springfox/issues/3070

[cbornet]

Dilip is asking for help. Don't hesitate to participate. Springfox is a very well-written lib. You learn a lot by contributing to it.

[Hawkurane]

Is anyone working on this? I would like to have a go at it :) I have the UI displaying but am still working on passing the token to the swagger ui

[pascalgrimaud]

go, it was opened for too long

[Hawkurane]

@ecostanzi I've still submitted my branch as a PR so if you find anything interesting in my code we could try share point of views?

[ecostanzi]

@Hawkurane let's focus on one PR (#10567) so that the reviewers know where to look at.

I'd keep PR #10567 (and close #10570) for the frontend part, since it already works for both frontends and fetches the list of specs from swagger resources.

Let's discuss here: https://github.com/jhipster/generator-jhipster/pull/10567#discussion_r332115208 wether to customize springfox configuration in jhipster-framework (https://github.com/jhipster/jhipster/pull/425/) or by using a new template in the generator. In the first case we'll have to keep both PRs open. WDYT?

[Hawkurane]

Sure, let's do that. I've closed my front part PR :)

[deepu105]

We really need this as GitHub is now always giving a moderate sev security vulnerability for Swagger UI

[PierreBesson]

Which is complete bullshit :angry: as using swagger ui v2 does not constitute a security vulnerability. [EDIT] Apparently there are some vulnerabilities logged on swagger ui v2, https://snyk.io/test/npm/swagger-ui/2.2.10 But I fail to see how they can be meaningfully exploited as only the admin user will have the proper authentication to make requests to the backend.

[deepu105]

Indeed its bullshit, but its making our apps look bad and many would think that the generated apps are not secure by default

On Mon, 16 Dec 2019, 5:40 pm Pierre Besson, notifications@github.com wrote:

Which is complete bullshit 😠 as using swagger ui v2 does not constitute a security vulnerability.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/jhipster/generator-jhipster/issues/7966?email_source=notifications&email_token=AAIOKFYAMFHSYMZSOIMGFSDQY6VP7A5CNFSM4FJ4VWQKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG7J7YI#issuecomment-566140897, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIOKF7C4WU7THNOXCU25YDQY6VP7ANCNFSM4FJ4VWQA .

[pascalgrimaud]

@ecostanzi : don't forget to claim the bounty, it's well deserved

[DanielFran]

@econstanzi PR https://github.com/jhipster/jhipster/pull/425 is still needed?

[pascalgrimaud]

As I don't need it during my test, I don't think so @DanielFran

[ecostanzi]

@DanielFran I think we can closed it, we postponed openapi security definitions for v7