Authorization header missing in request payload from swagger UI

marcgibbons / django-rest-swagger

Swagger Documentation Generator for Django REST Framework: deprecated

https://marcgibbons.com/django-rest-swagger/

BSD 2-Clause "Simplified" License

2.59k stars 601 forks source link

Authorization header missing in request payload from swagger UI #762

Open cegprakash opened 6 years ago

cegprakash commented 6 years ago

Problem : Authorization header is missing in request payload from swagger UI

django-rest-swagger==2.2.0
djangorestframework==3.8.2

schema_view = get_swagger_view(title='Pastebin API')

urlpatterns = [
    url(r'docs', schema_view),
]

SWAGGER_SETTINGS = {
    'SECURITY_DEFINITIONS': {
        'api_key': {
            'type': 'apiKey',
            'in': 'header',
            'name': 'Authorization'
        }
    },
    'JSON_EDITOR': True,
}

I see the authorize button immediately in the swagger UI

_apikey (apiKey) Name: Authorization In: header Value: (textbox)

I typed my token and authorized.

Now I would expect all my requests from swagger getting attached with an Authorization header with the value I provided. But in the request payload, I don't see any header attached. Is there anything that I've missed? I have also gone through many other issues (related to this) and couldn't find a working solution.

Skyross commented 6 years ago

Hi! I've faced with the same issue and found this note https://github.com/marcgibbons/django-rest-swagger/issues/757#issuecomment-397527350. Looks like it works now for django-rest-swagger==2.1.2 only.

pavankomarina commented 6 years ago

Can somebody tell me whether we can pass authorization headers in django-rest-swagger==2.2.0

cegprakash commented 6 years ago

Nope. Use 2.1.2

shockey commented 6 years ago

Hi everyone, have you enabled CORS on your servers?

If not, take a look at https://enable-cors.org. In order for your browser to be allowed to send Authorization headers, your server needs to be watching for OPTIONS requests and sending back Access-Control-Allow-Headers: *. This is a security mechanism enforced by your browser, so there's no way for Swagger UI (or any web app) to get around it.

shockey commented 6 years ago

Also - sharing your Swagger JSON/YAML would be helpful here.

cegprakash commented 6 years ago

It's definitely not a CORS issue. It works perfectly in 2.1.2. Just not in 2.2.0

There will be no JSON/YAML file generated when using django-rest-swagger

marcoceccarellispotsoftware commented 6 years ago

Hi ! @marcgibbons it seems something related with SECURITY settings. I think this is a required settings from Swagger UI OpenApi, along side with SECURITY_SETTINGS

After some investigation i notice that is something already merged in previous release refers to this PR #636 something went wrong because in 2.2.0 CHANGELOG https://github.com/marcgibbons/django-rest-swagger/blob/master/CHANGELOG.md

Add security #636 (dimitrismakris)

it seems that it should be included ... but it's not.

After include this PR it works.

For all that want to try the fix, please pay attention to SECURITY settings format from openapi 2 spec it's an array :-D example

'SECURITY': [
        {
            'api_key' : []
        }
    ]

cegprakash commented 6 years ago

Wow in that case just include that msising pull request and plz release a version. This is very much needed. @marcgibbons