Swagger: auth protect for swagger access url

Created on 5 May 2019  路  9Comments  路  Source: nestjs/swagger

I'm submitting a...


[ ] Regression 
[ ] Bug report
[x] Feature request
[ ] Documentation issue or request
[ ] Support request => Please do not submit support request here, instead post your question on Stack Overflow.

I want to add authentication for accessing the swagger url (that only authenticated user can access swagger url to see the endpoint). Do we have a way to auth protect the swagger access url? I tried several ways like using guard, using middleware, but all not working. Do we have this feature? if so, do we have an example how to do it?

question

Most helpful comment

app.use(apiPath, basicAuth({
      challenge: true,
      users: { [apiUser]: apiPass },
    }))
    SwaggerModule.setup(apiPath, app, document)

// where basicAuth is 
import * as basicAuth from 'express-basic-auth'

Is the fastest and most straightforward way.

To be confirmed but I had similar issue for making middleware X (like postraphile which is being exposed as middleware), that any Nest feature (like Guards, Middlewares) cannot "touch" those endpoints in any way (thus, making guards/middlewares not effective)

All 9 comments

app.use(apiPath, basicAuth({
      challenge: true,
      users: { [apiUser]: apiPass },
    }))
    SwaggerModule.setup(apiPath, app, document)

// where basicAuth is 
import * as basicAuth from 'express-basic-auth'

Is the fastest and most straightforward way.

To be confirmed but I had similar issue for making middleware X (like postraphile which is being exposed as middleware), that any Nest feature (like Guards, Middlewares) cannot "touch" those endpoints in any way (thus, making guards/middlewares not effective)

app.use(apiPath, basicAuth({
      challenge: true,
      users: { [apiUser]: apiPass },
    }))
    SwaggerModule.setup(apiPath, app, document)

// where basicAuth is 
import * as basicAuth from 'express-basic-auth'

Is the fastest and most straightforward way.

To be confirmed but I had similar issue for making middleware X (like postraphile which is being exposed as middleware), that any Nest feature (like Guards, Middlewares) cannot "touch" those endpoints in any way (thus, making guards/middlewares not effective)

Hi, It didnt work for me, only works if I remove apiPath. But in that cas enot only swagger api is protected

you must specify "/apiPath". Ex: '/docs'

Hey,

does this mean that basicAuth will show up a login popup for that particular route?

I wanted to protect my swagger docs url and I added the below code. but it is not popping up any login screen/popup

site-globals.controller.ts

import { ValidationPipe } from '@nestjs/common';
import { ConfigService } from '@nestjs/config';
import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
import * as compression from 'compression';
import * as basicAuth from 'express-basic-auth';

export class SiteGlobalsController {
  constructor(
    private readonly configService: ConfigService,
    private readonly app: any,
  ) {}

  /**
   * List of pipes to be applied globally
   */
  setPipes() {
    this.app.useGlobalPipes(
      new ValidationPipe({
        disableErrorMessages:
          this.configService.get<string>('ENV', 'prod') === 'prod'
            ? true
            : false,
        whitelist: true,
      }),
    );
  }

  /**
   * Sets API prefix at global level(all APIs)
   * Example: /api/v1/
   * 'v1' - API version to be set in .env
   */
  setGlobalPrefix() {
    this.app.setGlobalPrefix(
      `api/${this.configService.get<string>('API_VERSION')}`,
    );
  }

  /**
   * Enables Swagger API documentation
   * Docs: https://docs.nestjs.com/recipes/swagger & https://swagger.io/docs/
   */
  enableSwagger() {
    const options = new DocumentBuilder()
      .setTitle('API example')
      .setDescription('The API description')
      .setVersion('1.0')
      .build();
    const docsPath = `api/${this.configService.get<string>(
      'API_VERSION',
    )}/docs`;
    this.app.use(
      docsPath,
      basicAuth({
        challenge: true,
        users: { admin: 'admin' },
      }),
    );
    const document = SwaggerModule.createDocument(this.app, options);

    SwaggerModule.setup(docsPath, this.app, document);
  }

  /**
   * Enables compression for site
   */
  enableCompression() {
    this.app.use(compression());
  }

  /**
   * Enables CORS
   */
  enableCORS() {
    // CORS doc: https://github.com/expressjs/cors#configuration-options
    this.app.enableCors();
  }
}

main.ts

import { NestFactory } from '@nestjs/core';
import { ConfigService } from '@nestjs/config';
import * as dotenv from 'dotenv';

import { AppModule } from './app.module';
import { SiteGlobalsController } from './_globals/site-globals.controller';

dotenv.config();

async function bootstrap() {
  const app = await NestFactory.create(AppModule);
  const global = new SiteGlobalsController(new ConfigService(), app);

  // Enable compression
  global.enableCompression();

  // Enable CORS
  // global.enableCORS()

  // Set Pipes globally
  global.setPipes();

  // Set API prefix
  global.setGlobalPrefix();

  // Enable Swagger API Documetation
  global.enableSwagger();

  await app.listen(process.env.PORT);
}
bootstrap();

How this could be applicable with a project with Fastify and not Express?

hi! for the record, and if helps somebody, i managed to auth protect swagger docs w/ fastify. you can check it out:
https://gist.github.com/iamyellow/7051e1bcd5792f22169883223141dc28

just take into account i'm using some env vars for hiding the secret "password", cookies lib as dependency for secure cookies and as a transport for the jwt token, which just has a dummy value. obviously you can change that and even add some ACL or users in your db.

Is there any plan to make it easier to setup login page for Swagger docs?

Any news yet on how to use guards like passport to protect swagger docs?

Did anybody solve it for express adapter? stuck as well

Was this page helpful?
0 / 5 - 0 ratings

Related issues

djedlajn picture djedlajn  路  4Comments

patilrevansidh picture patilrevansidh  路  4Comments

malbertSC picture malbertSC  路  5Comments

ericzon picture ericzon  路  4Comments

dennisameling picture dennisameling  路  4Comments