Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie authentication doesn't work in swagger-editor #1951

Closed
TitaneBoy opened this issue Feb 18, 2019 · 6 comments
Closed

Cookie authentication doesn't work in swagger-editor #1951

TitaneBoy opened this issue Feb 18, 2019 · 6 comments
Labels
type: support

Comments

@TitaneBoy
Copy link

Q&A (please complete the following information)

  • OS: Windows 7 Pro
  • Browser: Chrome
  • Version: 71.0.3578.98
  • Method of installation: Download the zip, extracted it and runned yarn install
  • Swagger-Editor version: 3.6.22
  • Swagger/OpenAPI version: OpenAPI 3.0

Content & configuration

OpenAPI definition:

openapi: 3.0.2
info:
  title: Ruby API
  description: Web Server API to provide measurements
  version: '1.0'
  termsOfService: 'https://www.google.com'
  contact:
    name: Philippe D'Alva
    url: 'https://myweburl.com/api'
    email: myemail@myemail.com
  license:
    name: TBD
    url: 'https://www.google.com'
servers:
  - url: 'http://localhost/v1'
paths:
  /login:
    post:
      tags:
        - Authentication
      summary: Use credentials to login to the Web Server
      description: >-
        Provide username and password credentials for the purpose of being
        authenticated and accessing advanced features of the Web Server,
        depending on user's privileges.
      requestBody:
        required: true
        description: Username and Password to provide for authentication
        content:
          application/json:
            schema:
              type: object
              required:
                - username
                - password
              properties:
                username:
                  type: string
                  example: Default
                password:
                  type: string
                  example: Default_pwd
      responses:
        '200':
          description: >-
            Successfully authenticated.  The session ID is returned in a cookie
            named `connect.sid`. You need to include this cookie in subsequent
            requests.
          headers:
            Set-Cookie:
              schema:
                type: string
                example: connect.sid=fd4698c940c6d1da602a70ac34f0b147; Path=/; HttpOnly
          content:
            application/json:
              schema:
                title: Login Successful response
                type: object
                properties:
                  token:
                    type: string
                    description: User token used to be authenticated
                    example: >-
                      eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjo2LCJ1c2VybmFtZSI6I.lBoaWxpcHBlIEQnQWx2YSIsImlh
                  username:
                    type: string
                    description: The name of the user.
                    example: Default
        '401':
          description: Unauthorized user
        '500':
          $ref: '#/components/schemas/500'
  /logout:
    post:
      tags:
        - Authentication
      summary: Logout user from Web Server
      description: Blablabla
      responses:
        '204':
          description: Logout successfull with no returned content
  /webclientapi/resume/:
    get:
      tags:
        - Data acquisition
      security:
        - cookieAuth: []
          bearerAuth: []
      summary: Get all of the measures data
      description: >-
        This route is used to have all the measurements, aka readings, trends
        and limits
      parameters:
        - in: query
          name: id
          description: The id of the measurement we want data
          schema:
            type: integer
          example: 1
          required: false
      responses:
        '200':
          description: Resume data response
          content:
            application/json:
              schema:
                title: Resume successfull response
                type: array
                items:
                  required:
                    - id
                    - measurement_info
                  properties:
                    id:
                      type: integer
                      description: The ID of the measurement data
                      example: 1
                    measurement_info:
                      type: object
                      description: Object describing the measure information
                      properties:
                        id:
                          type: integer
                          description: The ID of the measurement information
                          example: 1
                        name:
                          $ref: '#/components/schemas/measurements'
                    reading:
                      type: object
                      description: Object with reading data value of the measurement
                      properties:
                        value:
                          type: integer
                          description: The reading value of the measurement
                          example: 50
                        units:
                          $ref: '#/components/schemas/Reading-Units'
                    trend:
                      type: object
                      description: Object with reading trend data value of the measurement
                      properties:
                        value:
                          type: integer
                          description: The value of the trend for the measurement reading
                          example: 42
                        units:
                          $ref: '#/components/schemas/Trend-Units'
components:
  securitySchemes:
    cookieAuth:
      description: >-
        Session key to identify user session. If you don't have a session key,
        use
        `s%3Ac2a45539-f10d-2da3-81e5-68a64ce330c3.IWcoOdr0RM1kfZetvvKrdBIG11hS1Vdid0xHXdcppyc`.
      type: apiKey
      in: cookie
      name: connect.sid
    bearerAuth:
      description: >-
        API key to authorize requests. If you don't have a Ruby API key, use
        `fd4698c940c6d1da602a70ac34f0b147`
      type: http
      scheme: bearer

  schemas:
    '200':
      title: Successful response
      type: object
    '500':
      title: Internal error
      type: string
      description: Internal web server error
      example: Web Server Internal Error
    'Reading-Units':
      title: Reading units
      description: Units to be associated with reading values
      type: string
      enum:
        - unit 1
        - unit 2
        - unit 3
        - unit 4
    'Trend-Units':
      title: Trend units
      description: Units to be associated with reading trend values
      type: string
      enum:
        - unit 1
        - unit 2
        - unit 3
        - unit 4
    'measurements':
      title: Measurement names
      type: string
      enum:
        - Name 1
        - Name 2

Describe the bug you're encountering

Event if a cookie authentification is defined (under the components->securitySchemes section) in the OpenAPI configuration file (yaml), it seems that Swagger Editor does not send cookie authentication data to the Web Server. But when executing the Swagger Editor generated CURL command in a command line window, the Web Server receive properly the cookie data for authentication.

To reproduce...

Steps to reproduce the behavior:

  1. On the Swagger Editor menu, click on File-> Import File
  2. Select the OpenAPI file configuration (yaml)
  3. Click on Open File
  4. Click on the Authorize button
  5. Set the provided authentication data for cookieAuth and bearerAuth authentication.
  6. Click on "Authorize" button for each authorization.
  7. Close the window and go to the Data acquisition section to the the "/webclientapi/resume/ API.
  8. Click on the Try it out button
  9. Click on the Execute button

Expected behavior

Normally, After clicking on the "Execute" button of the API, the Web Server should have a "Cookie" header with the data described in the cookieAuth security scheme. But the request on the Web Server has no "Cookie" in his headers

Screenshots

The Available authorizations window:
image

The API we want to test:
image

The response we have after executing the API:

image

The content of request headers on the Web Server:
image

As you can see, no "cookie" header is available in the request headers. However, there is the "authorization" header

The Curl command generated by Swagger Editor:

curl -X GET "http://localhost/v1/webclientapi/resume/?id=1" -H "accept: application/json" -H "Authorization: Bearer fd4698c940c6d1da602a70ac34f0b147" -H "Cookie: connect.sid=s%253Ac2a45539-f10d-2da3-81e5-68a64ce330c3.IWcoOdr0RM1kfZetvvKrdBIG11hS1Vdid0xHXdcppyc"

The content of request headers on the Web Server when Swagger Editor generated Curl command is manually executed:
image
As you can see, there is a "cookie" header in the request headers. There is also an "authorization" header.

The result I receive in the command line console when Swagger Editor generated Curl command is manually executed:
image

Additional context or thoughts
@TitaneBoy
Copy link
Author

Thank you in advance for your help

@hkosova
Copy link
Contributor

hkosova commented Feb 22, 2019

Cookie authentication currently does not work in Swagger UI and Swagger Editor because of browser security restrictions that prevent web pages from modifying certain headers (such as Cookie) programmatically. Please see swagger-api/swagger-js#1163 for details.

@TitaneBoy
Copy link
Author

TitaneBoy commented Feb 22, 2019
edited
Loading

@hkosova Thank you for your answer... If browser security restrictions prevents web pages from modifying headers like "Cookie", then Why there is a Cookie Authentication section in the Swagger documentation that seems to tell us that it is possible to do "Cookie Authentication" ?

@hkosova
Copy link
Contributor

hkosova commented Feb 22, 2019

That doc is an OpenAPI syntax guide. OpenAPI Specification allows describing cookie authentications in API definitions.

Swagger tools (Editor, UI, etc.) are specific implementations of the OpenAPI Specification. Since Swagger Editor/UI are web pages run entirely client-side in a browser, they are subject to browser security mechanisms like forbidden headers, CORS, etc.

Other tools may or may not have the same limitations depending on their implementation and runtime environment. For example, one of the workarounds discussed in swagger-api/swagger-js#1163 is to proxy the requests through a server-side application to work around browser restrictions. SwaggerHub does this, so cookie authentication works in API docs hosted on SwaggerHub.

@TitaneBoy
Copy link
Author

Thanks for your answer..It is more clear now..

@shockey
Copy link
Contributor

shockey commented Apr 5, 2019

Closing due to inactivity.

This is simply to keep our issue tracker clean - feel free to comment if there are any further thoughts or concerns, and we'll be happy to reopen this issue.

To future readers: you should check swagger-api/swagger-js#1163 for more information about this limitation in general.

@shockey shockey closed this as completed Apr 5, 2019
@hl-a-k hl-a-k mentioned this issue Jan 12, 2022
Closed
@hw0603 hw0603 mentioned this issue Jun 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shockey @hkosova @TitaneBoy