Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switching between swagger APIs in top bar does not reset Authorization #5540

Closed
mbaeuerle opened this issue Aug 20, 2019 · 3 comments · Fixed by #7046
Closed

Switching between swagger APIs in top bar does not reset Authorization #5540

mbaeuerle opened this issue Aug 20, 2019 · 3 comments · Fixed by #7046

Comments

@mbaeuerle
Copy link
Contributor

mbaeuerle commented Aug 20, 2019
edited
Loading

Q&A (please complete the following information)

  • OS: Linux
  • Browser: Firefox
  • Version: 68.0.2
  • Method of installation: https://petstore.swagger.io/
  • Swagger-UI version: I suppose newest 3.23.5
  • Swagger/OpenAPI version: 2.0

Content & configuration

Configuration of the https://petstore.swagger.io/ example

Describe the bug you're encountering

When switching between swagger doc APIs via the topbar (input or dropdown), the Authorization is not reset.
So the user provided Authorization information for the first API will be sent to the second API if the user makes an API request on the second API.
This only happens if the Authorizations of the two APIs have the same name. In the example steps below this name is api_key.
In this case I log into the Petstore example, and after switching the API this information is still preserved and sent with every request made.

To reproduce...

Steps to reproduce the behavior:

  1. Go to http://petstore.swagger.io/
  2. Authorize via api_key with some gibberish
  3. Close Autorization window
  4. Open URL in topbar of the same Petstore browser window: 
     https://gist.githubusercontent.com/mbaeuerle/64e6da854f92cfb0d4f5c1ddd1d75a8c/raw/b68db7afc1baff71fd0cdd7bbc96427ff02125d3/first.yaml
    (this is just a minimal spec to reproduce this issue I created on Gist: https://gist.github.com/mbaeuerle/64e6da854f92cfb0d4f5c1ddd1d75a8c#file-first-yaml)
  5. On the test spec open the Authorization window again
  6. You will now see that you are still logged in with the api_key but for the wrong API

Expected behavior

Either:

  • The credentials are dropped completely when switching API specs

Or (preferred):

  • The credentials are stored but only for the API they belong to when switching to another one. This way when specifying theurls parameter in the SwaggerUIBundle with a specific set of specs the user can switch back and forth between the specs but is still authorized correctly for each API.

Additional context or thoughts

  • This could possibly leak authorization information if the user is not careful and does not reauthorize with the newly selected API spec.

Edit: Accidentally deleted the Gist, therefore updated the links to a new one
@shockey
Copy link
Contributor

shockey commented Aug 20, 2019

This could possibly leak authorization information if the user is not careful

Good point! I agree we should be flushing auth data when the definition URL changes.

@hkosova hkosova mentioned this issue Jul 23, 2020
Closed
@janinko
Copy link

janinko commented Aug 19, 2020

Any progress?

@hkosova hkosova mentioned this issue Oct 20, 2020
Closed
@bnasslahsen bnasslahsen mentioned this issue Oct 30, 2020
Closed
@mathis-m mathis-m mentioned this issue Mar 8, 2021
Merged
17 tasks
@mathis-m
Copy link
Contributor

mathis-m commented Mar 8, 2021
edited
Loading

Have added the auth data flush on url change with #7046.

@MichielDx MichielDx mentioned this issue Jan 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: url change should flush auth mathis-m/swagger-ui
4 participants
@janinko @shockey @mbaeuerle @mathis-m