OpenAPI definition:
openapi: 3.0.2
info:
title: Ruby API
description: Web Server API to provide measurements
version: '1.0'
termsOfService: 'https://www.google.com'
contact:
name: Philippe D'Alva
url: 'https://myweburl.com/api'
email: [email protected]
license:
name: TBD
url: 'https://www.google.com'
servers:
- url: 'http://localhost/v1'
paths:
/login:
post:
tags:
- Authentication
summary: Use credentials to login to the Web Server
description: >-
Provide username and password credentials for the purpose of being
authenticated and accessing advanced features of the Web Server,
depending on user's privileges.
requestBody:
required: true
description: Username and Password to provide for authentication
content:
application/json:
schema:
type: object
required:
- username
- password
properties:
username:
type: string
example: Default
password:
type: string
example: Default_pwd
responses:
'200':
description: >-
Successfully authenticated. The session ID is returned in a cookie
named `connect.sid`. You need to include this cookie in subsequent
requests.
headers:
Set-Cookie:
schema:
type: string
example: connect.sid=fd4698c940c6d1da602a70ac34f0b147; Path=/; HttpOnly
content:
application/json:
schema:
title: Login Successful response
type: object
properties:
token:
type: string
description: User token used to be authenticated
example: >-
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjo2LCJ1c2VybmFtZSI6I.lBoaWxpcHBlIEQnQWx2YSIsImlh
username:
type: string
description: The name of the user.
example: Default
'401':
description: Unauthorized user
'500':
$ref: '#/components/schemas/500'
/logout:
post:
tags:
- Authentication
summary: Logout user from Web Server
description: Blablabla
responses:
'204':
description: Logout successfull with no returned content
/webclientapi/resume/:
get:
tags:
- Data acquisition
security:
- cookieAuth: []
bearerAuth: []
summary: Get all of the measures data
description: >-
This route is used to have all the measurements, aka readings, trends
and limits
parameters:
- in: query
name: id
description: The id of the measurement we want data
schema:
type: integer
example: 1
required: false
responses:
'200':
description: Resume data response
content:
application/json:
schema:
title: Resume successfull response
type: array
items:
required:
- id
- measurement_info
properties:
id:
type: integer
description: The ID of the measurement data
example: 1
measurement_info:
type: object
description: Object describing the measure information
properties:
id:
type: integer
description: The ID of the measurement information
example: 1
name:
$ref: '#/components/schemas/measurements'
reading:
type: object
description: Object with reading data value of the measurement
properties:
value:
type: integer
description: The reading value of the measurement
example: 50
units:
$ref: '#/components/schemas/Reading-Units'
trend:
type: object
description: Object with reading trend data value of the measurement
properties:
value:
type: integer
description: The value of the trend for the measurement reading
example: 42
units:
$ref: '#/components/schemas/Trend-Units'
components:
securitySchemes:
cookieAuth:
description: >-
Session key to identify user session. If you don't have a session key,
use
`s%3Ac2a45539-f10d-2da3-81e5-68a64ce330c3.IWcoOdr0RM1kfZetvvKrdBIG11hS1Vdid0xHXdcppyc`.
type: apiKey
in: cookie
name: connect.sid
bearerAuth:
description: >-
API key to authorize requests. If you don't have a Ruby API key, use
`fd4698c940c6d1da602a70ac34f0b147`
type: http
scheme: bearer
schemas:
'200':
title: Successful response
type: object
'500':
title: Internal error
type: string
description: Internal web server error
example: Web Server Internal Error
'Reading-Units':
title: Reading units
description: Units to be associated with reading values
type: string
enum:
- unit 1
- unit 2
- unit 3
- unit 4
'Trend-Units':
title: Trend units
description: Units to be associated with reading trend values
type: string
enum:
- unit 1
- unit 2
- unit 3
- unit 4
'measurements':
title: Measurement names
type: string
enum:
- Name 1
- Name 2
Event if a cookie authentification is defined (under the components->securitySchemes section) in the OpenAPI configuration file (yaml), it seems that Swagger Editor does not send cookie authentication data to the Web Server. But when executing the Swagger Editor generated CURL command in a command line window, the Web Server receive properly the cookie data for authentication.
Steps to reproduce the behavior:
Normally, After clicking on the "Execute" button of the API, the Web Server should have a "Cookie" header with the data described in the cookieAuth security scheme. But the request on the Web Server has no "Cookie" in his headers
The Available authorizations window:

The API we want to test:

The response we have after executing the API:

The content of request headers on the Web Server:

As you can see, no "cookie" header is available in the request headers. However, there is the "authorization" header
The Curl command generated by Swagger Editor:
curl -X GET "http://localhost/v1/webclientapi/resume/?id=1" -H "accept: application/json" -H "Authorization: Bearer fd4698c940c6d1da602a70ac34f0b147" -H "Cookie: connect.sid=s%253Ac2a45539-f10d-2da3-81e5-68a64ce330c3.IWcoOdr0RM1kfZetvvKrdBIG11hS1Vdid0xHXdcppyc"
The content of request headers on the Web Server when Swagger Editor generated Curl command is manually executed:

As you can see, there is a "cookie" header in the request headers. There is also an "authorization" header.
The result I receive in the command line console when Swagger Editor generated Curl command is manually executed:

Thank you in advance for your help
Cookie authentication currently does not work in Swagger UI and Swagger Editor because of browser security restrictions that prevent web pages from modifying certain headers (such as Cookie) programmatically. Please see https://github.com/swagger-api/swagger-js/issues/1163 for details.
@hkosova Thank you for your answer... If browser security restrictions prevents web pages from modifying headers like "Cookie", then Why there is a Cookie Authentication section in the Swagger documentation that seems to tell us that it is possible to do "Cookie Authentication" ?
That doc is an OpenAPI syntax guide. OpenAPI Specification allows describing cookie authentications in API definitions.
Swagger tools (Editor, UI, etc.) are specific implementations of the OpenAPI Specification. Since Swagger Editor/UI are web pages run entirely client-side in a browser, they are subject to browser security mechanisms like forbidden headers, CORS, etc.
Other tools may or may not have the same limitations depending on their implementation and runtime environment. For example, one of the workarounds discussed in https://github.com/swagger-api/swagger-js/issues/1163 is to proxy the requests through a server-side application to work around browser restrictions. SwaggerHub does this, so cookie authentication works in API docs hosted on SwaggerHub.
Thanks for your answer..It is more clear now..
Closing due to inactivity.
This is simply to keep our issue tracker clean - feel free to comment if there are any further thoughts or concerns, and we'll be happy to reopen this issue.
To future readers: you should check https://github.com/swagger-api/swagger-js/issues/1163 for more information about this limitation in general.
Most helpful comment
Cookie authentication currently does not work in Swagger UI and Swagger Editor because of browser security restrictions that prevent web pages from modifying certain headers (such as
Cookie) programmatically. Please see https://github.com/swagger-api/swagger-js/issues/1163 for details.