Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenAPI 3 Cookie Authentication Support #649

Closed
rafaelkallis opened this issue Apr 2, 2020 · 4 comments
Closed

OpenAPI 3 Cookie Authentication Support #649

rafaelkallis opened this issue Apr 2, 2020 · 4 comments

Comments

@rafaelkallis
Copy link
Contributor

rafaelkallis commented Apr 2, 2020

Feature Request (PR #650 + docs PR)

OpenAPI 3 supports Cookie Authentication. The @nestjs/swagger module currently only supports that through the @ApiSecurity() decorator.

Cookie authentication support could be improved by having an api similar to other existing authentication mechanisms:

// main.ts
const options = new DocumentBuilder()
    .setTitle('Cats example')
    .setDescription('The cats API description')
    .setVersion('1.0')
    .addTag('cats')
    .addCookieAuth() // <- adds cookie authentication
    .build();

// cats.controller.ts
@ApiCookieAuth() // <- adds cookie authentication
@Controller('cats')
export class CatsController {}
@rafaelkallis rafaelkallis changed the title Cookie Authentication Support OpenAPI 3 Cookie Authentication Support Apr 2, 2020
@kamilmysliwiec
Copy link
Member

Merged! Will be available in the next minor release :)

@SathursanS
Copy link

Is cookie authentication fully functional in nest, according to https://swagger.io/docs/specification/authentication/cookie-authentication/, cookie authentication for "try it out" is no supported is this the same case for nest?

@hl-a-k
Copy link

hl-a-k commented Jan 12, 2022

I have tested it. It is not fully functional. Same reason to swagger-api/swagger-editor#1951
Any plan for it ?

@alereca
Copy link

alereca commented Feb 23, 2022

As an alternative solution relying on withCredentials: true in SwaggerCustomOptions worked for me

  const customOptions: SwaggerCustomOptions = {
    swaggerOptions: {
      withCredentials: true,
    },
  };

  SwaggerModule.setup('api', app, document, customOptions);

As a reference: https://swagger.io/docs/open-source-tools/swagger-ui/usage/configuration/#withCredentials

withCredentials -> Boolean=false If set to true, enables passing credentials, as defined in the Fetch standard, in CORS requests that are sent by the browser. Note that Swagger UI cannot currently set cookies cross-domain (see swagger-js#1163) - as a result, you will have to rely on browser-supplied cookies (which this setting enables sending) that Swagger UI cannot control.

So each time I make a request to /app/auth/login or /app/auth/register a http-only same-site cookie is stored by the browser and then it will be appended to each following request (so this approach avoids setting the authorization Swagger UI field)

  @Post('login')
  @HttpCode(200)
  async login(
    @Body(AppValidationPipe) loginDto: LoginDto,
    @Res() response: Response,
  ) {
    const loggedUser = await this.authService.login(loginDto);
response.cookie('accessToken', loggedUser.accessToken, {
      expires: addMinutes(new Date(), loggedUser.accessTokenExpiration),
      httpOnly: true,
      sameSite: 'strict',
    });
}

After that IsAuthGuard can parse the cookies attached to the request. (remeber installing cookie-parser as stated in nestjs docs https://docs.nestjs.com/techniques/cookies)

  async canActivate(context: ExecutionContext) {
    const request: RequestWithUser = context.switchToHttp().getRequest();

    const fullInputToken: string | undefined = request.cookies['accessToken'];
    if (!fullInputToken) throw new Unauthorized('Token not provided');

    const tokenWithoutPrefix = fullInputToken.replace('Bearer ', '');
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants