From dae3bc385c69c067769e5517980f73340f97819c Mon Sep 17 00:00:00 2001
From: Nicolas Dupont <npg.dupont@gmail.com>
Date: Wed, 5 Jul 2023 15:49:08 +0200
Subject: [PATCH] Allow to access Swagger UI on non SSL Express server

---
 src/api/routes/index.js | 6 +++++-
 src/api/server.js       | 3 ---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/api/routes/index.js b/src/api/routes/index.js
index 79b753c77..ba5b2fbf9 100644
--- a/src/api/routes/index.js
+++ b/src/api/routes/index.js
@@ -1,4 +1,5 @@
 import express from 'express';
+import helmet from 'helmet';
 import swaggerUi from 'swagger-ui-express';
 
 import servicesRouter from './services.js';
@@ -6,9 +7,12 @@ import specsRouter, { specs } from './specs.js';
 
 const apiRouter = express.Router();
 
-apiRouter.use('/specs', specsRouter);
 apiRouter.use('/docs', swaggerUi.serve);
 apiRouter.get('/docs', swaggerUi.setup(specs));
+
+apiRouter.use(helmet()); // Register `helmet` after swaggerUi routes to ensure insecure requests won't be upgraded to secure requests for swaggerUI assets; see https://github.com/scottie1984/swagger-ui-express/issues/212#issuecomment-825803088
+
+apiRouter.use('/specs', specsRouter);
 apiRouter.use('/services', servicesRouter);
 
 export default apiRouter;
diff --git a/src/api/server.js b/src/api/server.js
index 1eed3b206..f8b86dc50 100644
--- a/src/api/server.js
+++ b/src/api/server.js
@@ -1,6 +1,5 @@
 import config from 'config';
 import express from 'express';
-import helmet from 'helmet';
 
 import logger from './logger.js';
 import errorsMiddleware from './middlewares/errors.js';
@@ -9,8 +8,6 @@ import apiRouter from './routes/index.js';
 
 const app = express();
 
-app.use(helmet());
-
 if (process.env.NODE_ENV !== 'test') {
   app.use(loggerMiddleware);
 }