This PR adds support to enable the open API route in the production build output.
Resolves #2418 (experimentally!)
New configs (openAPI: {})
production
false - (default) does not expose openapi.json to the production
runtime - Add runtime event handlers
prerender - Prerender swagger JSON and UIs
route: Default is /_openapi.json
ui.scalar
can be false to disable scalar UI (default is on)
route: Default is /_scalar
ui.swagger
can be false to disable swagger UI (default is on)
route: Default is /_swagger
[!NOTE]
New routes removed /_nitro prefix to be simpler.
Security
Production rotues are explicit opt-in to make sure users deliberately want to expose available routes in the production and make necessary protection if needed.
production: 'runtime'
Ideally before moving the OpenAPI feature to stable, we will have guard route rules to allow a hookable method to protect routes.
In the meantime, in this mode a server middleware can be used to protect
production: 'prerender'
Prerender mode is most efficient because the JSON output is literally a constant response but the case is, the deployment presets that natively have a CDN (netlify, cloudflare, vercel, etc) never hit nitro server and in this mode, protection should be considered on CDN level somehow.
This PR adds support to enable the open API route in the production build output.
Resolves #2418 (experimentally!)
New configs (
openAPI: {})productionfalse- (default) does not expose openapi.json to the productionruntime- Add runtime event handlersprerender- Prerender swagger JSON and UIsroute: Default is/_openapi.jsonui.scalarfalseto disable scalar UI (default is on)route: Default is/_scalarui.swaggerfalseto disable swagger UI (default is on)route: Default is/_swaggerSecurity
Production rotues are explicit opt-in to make sure users deliberately want to expose available routes in the production and make necessary protection if needed.
production: 'runtime'Ideally before moving the OpenAPI feature to stable, we will have guard route rules to allow a hookable method to protect routes.
In the meantime, in this mode a server middleware can be used to protect
production: 'prerender'Prerender mode is most efficient because the JSON output is literally a constant response but the case is, the deployment presets that natively have a CDN (netlify, cloudflare, vercel, etc) never hit nitro server and in this mode, protection should be considered on CDN level somehow.