Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Swagger UI endpoint authorization. #493

Merged
merged 1 commit into from
Sep 8, 2016
Merged

Swagger UI endpoint authorization. #493

merged 1 commit into from
Sep 8, 2016

Conversation

texpert
Copy link
Contributor

@texpert texpert commented Aug 15, 2016
edited
Loading

This helps to guard Swagger UI endpoints adding 3 new options to swagger documentation (in my case, using WineBouncer gem and Doorkeeper, but it is configurable):

endpoint_auth_wrapper: WineBouncer::OAuth2,
swagger_endpoint_guard: "oauth2 false",
oauth_token: 'doorkeeper_access_token'

To display the endpoint only for signed admin users, I am using a lambda (I think a few lambdas like this would go to options as well - I will work it later):

  not_admins = lambda { |token=nil| token.nil? || !User.find(token.resource_owner_id).admin? }

  resource :users, desc: "Users' operations" do
    desc 'List users', hidden: not_admins
    oauth2 'admin'
    get do
      render_result User.all
    end

Notes:

@LeFnord
Copy link
Member

LeFnord commented Aug 31, 2016

@texpert … nice work, but can you add a spec please

@texpert
Copy link
Contributor Author

texpert commented Sep 7, 2016

@LeFnord , here is the spec, finally :)

Rubocop's complaining about double negation !!, it is the only fail (and I think this cop is ambiguos.
!! looks much better here than some ternary ? to get true or false value) - what do you think?

@LeFnord
Copy link
Member

LeFnord commented Sep 8, 2016

@texpert … please rebase and try to use .present? to avoid rubocop warning, thanks

@LeFnord
Copy link
Member

LeFnord commented Sep 8, 2016

👍 … good work 😄

@texpert
Copy link
Contributor Author

texpert commented Sep 8, 2016

Thanks, @LeFnord!

I am prepairing one last commit to fix some nuances in the README, and after this I will squash.

@texpert
Copy link
Contributor Author

texpert commented Sep 8, 2016

Done!

@LeFnord LeFnord merged commit a9d36f9 into ruby-grape:master Sep 8, 2016
@texpert texpert mentioned this pull request Sep 8, 2016
Open
@texpert texpert deleted the swagger_doc_authorization branch September 26, 2016 08:57
LeFnord pushed a commit to LeFnord/grape-swagger that referenced this pull request Feb 9, 2019
@texpert @LeFnord
Swagger UI endpoint authorization. (ruby-grape#493)
cd8e6a8
@narze
Copy link

narze commented Sep 19, 2023
edited
Loading

For some people wonder on how to use basic auth to protect the endpoint, here's my implementation after some trial & error.

class BasicAuthWrapper < Grape::Middleware::Base
  def before
    path_is_swagger_doc = context.options[:for].try(:mount_path)&.include?("/swagger_doc")

    if path_is_swagger_doc && !basic_auth(env['HTTP_AUTHORIZATION'])
      context.error!('401 Unauthorized', 401)
    end
  end

  private

  def basic_auth(auth_header_string)
    return false if !auth_header_string || !auth_header_string.start_with?('Basic ')

    auth_header_string = auth_header_string.gsub(/^Basic /, '')
    decoded_str = Base64.decode64(auth_header_string)
    
	decoded_str == "username:password"
  end
end

# Usage: Add class to `endpoint_auth_wrapper` option
add_swagger_documentation(
  base_path: '/api',
  doc_version: 'v1',
  add_version: true,
  mount_path: '/v1/swagger_doc',
  endpoint_auth_wrapper: BasicAuthWrapper

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@texpert @LeFnord @narze