swagger-api / swagger-ui

Swagger UI is a collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API.
https://swagger.io
Apache License 2.0
26.53k stars 8.96k forks source link

Authorization header only added to resources without Security #2104

Closed kyeotic closed 8 years ago

kyeotic commented 8 years ago

I am using Swagger UI @version v2.1.4

I am adding an authorization header with the following, inside the load onComplete handler

var key = new SwaggerClient.ApiKeyAuthorization("Authorization", 'Bearer ' +  auth, "header")
swaggerUi.api.clientAuthorizations.add("key", key)

The result is that "Try it out" operations that do not contain a Security definition get the Authorization header added, and resources that do contain a Security definition do not get the Authorization header. This is exactly the opposite of the behavior I expect. Am I doing something wrong, or is this a bug?

My Swagger spec is quite large, but here is a relevant slice. The /apis resource gets an authorization header, the /users resource does not.

swagger: "2.0"
info:
  version: "2016-04-07T18:09:13Z"
  title: DevPortal-Api
host: "drqo935wsk.execute-api.us-west-2.amazonaws.com"
basePath: "/test"
schemes:
- "https"
paths:
  /v1/apis:
    get:
      consumes:
      - "application/json"
      produces:
      - "application/json"
      parameters:
      - name: "searchName"
        in: "query"
        required: false
        type: "string"
      - name: "username"
        in: "query"
        required: false
        type: "string"
      responses:
        200:
          description: "200 response"
          schema:
            $ref: "#/definitions/Empty"
          headers:
            Access-Control-Allow-Origin:
              type: "string"
        500:
          description: "500 response"
      x-amazon-apigateway-integration:
        responses:
          default:
            statusCode: "200"
            responseParameters:
              method.response.header.Access-Control-Allow-Origin: "'*'"
          .*?Task timed out after.*$:
            statusCode: "500"
        requestTemplates:
          application/json: "--redacted for length--"
        uri: "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:539783510382:function:DevPortal_Api-${stageVariables.stage}:${stageVariables.stage}/invocations"
        httpMethod: "POST"
        type: "aws"
    options:
      consumes:
      - "application/json"
      produces:
      - "application/json"
      responses:
        200:
          description: "200 response"
          schema:
            $ref: "#/definitions/Empty"
          headers:
            Access-Control-Allow-Origin:
              type: "string"
            Access-Control-Allow-Methods:
              type: "string"
            Access-Control-Allow-Headers:
              type: "string"
      x-amazon-apigateway-integration:
        responses:
          default:
            statusCode: "200"
            responseParameters:
              method.response.header.Access-Control-Allow-Methods: "'POST,GET,OPTIONS'"
              method.response.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key'"
              method.response.header.Access-Control-Allow-Origin: "'*'"
        requestTemplates:
          application/json: "{\"statusCode\": 200}"
        type: "mock"
  /v1/users/{username}:
    get:
      get:
      consumes:
      - "application/json"
      produces:
      - "application/json"
      parameters:
      - name: "username"
        in: "path"
        required: true
        type: "string"
      responses:
        200:
          description: "200 response"
          schema:
            $ref: "#/definitions/Empty"
          headers:
            Access-Control-Allow-Origin:
              type: "string"
        500:
          description: "500 response"
      security:
      - JwtCustom: []
      x-amazon-apigateway-integration:
        responses:
          default:
            statusCode: "200"
            responseParameters:
              method.response.header.Access-Control-Allow-Origin: "'*'"
        requestTemplates:
          application/json: "--redacted for length--"
        uri: "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:539783510382:function:DevPortal_Api-${stageVariables.stage}:${stageVariables.stage}/invocations"
        httpMethod: "POST"
        type: "aws"
    options:
      consumes:
      - "application/json"
      produces:
      - "application/json"
      parameters:
      - name: "username"
        in: "path"
        required: true
        type: "string"
      responses:
        200:
          description: "200 response"
          schema:
            $ref: "#/definitions/Empty"
          headers:
            Access-Control-Allow-Origin:
              type: "string"
            Access-Control-Allow-Methods:
              type: "string"
            Access-Control-Allow-Headers:
              type: "string"
      x-amazon-apigateway-integration:
        responses:
          default:
            statusCode: "200"
            responseParameters:
              method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS'"
              method.response.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key'"
              method.response.header.Access-Control-Allow-Origin: "'*'"
        requestTemplates:
          application/json: "{\"statusCode\": 200}"
        type: "mock"

securityDefinitions:
  JwtCustom:
    type: "apiKey"
    name: "Authorization"
    in: "header"
    x-amazon-apigateway-authtype: "custom"
    x-amazon-apigateway-authorizer:
        type: "token"
        authorizerUri: "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:539783510382:function:CustomAuthJava/invocations"
        authorizerResultTtlInSeconds: 60
definitions:
  Empty:
    type: "object"
fehguy commented 8 years ago

The security token that you add needs to match the name in your securityDefinitions. So instead of this:

var key = new SwaggerClient.ApiKeyAuthorization("Authorization", 'Bearer ' +  auth, "header")
swaggerUi.api.clientAuthorizations.add("key", key)

consider something like this:

var key = new SwaggerClient.ApiKeyAuthorization("Authorization", 'Bearer ' +  auth, "header")
swaggerUi.api.clientAuthorizations.add("JwtCustom", key)
kyeotic commented 8 years ago

Ah! That does it. You might want to note this relationship in the README, it is not very obvious