- Notifications
You must be signed in to change notification settings - Fork1k
chore: swagger docs omit brower based credentials, rely on swagger auth#13742
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Swagger has an "Authorize" button which should be the onlyauthentication being used in the api requests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
this is awful, but it seems like it's all in ways that aren't your fault, so whatever 😂
| // | ||
| // So remove authenticating via a cookie, and rely on the authorization | ||
| // header passed in. | ||
| httpSwagger.UIConfig(map[string]string{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I hate that they use amap[string]string for this instead of a struct 😭
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Not even a link to the docs 😢
| "requestInterceptor":`(a => { | ||
| a.credentials = "omit"; | ||
| return a; | ||
| })`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
their recommendation is just to embed javascript in a string??? I extra hate that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Yea, it is a bit crazy:https://github.com/swaggo/http-swagger/blob/master/swagger.go#L24-L27
Uh oh!
There was an error while loading.Please reload this page.
Swagger has an "Authorize" button which should be the only authentication being used in the api requests
Closes#13535
Note: I considered implementing CSRF in the interceptor which would just use the logged in user credentials. But the
Authorizebutton will still exist, and it would be even more confusing since the cookie auth supersedes the header based auth. So swagger requiring explicit authentication feels safer.