fastify-swagger: protect access of Swagger UI

[simon-tannai]

Hello !

I'm using fastify-swagger to generate API documentation.
It's working fine but I would like to protect the access to Swagger UI with a simple username / password.

Is it possible do to it with fastify-swagger ?

[mcollina]

It's not currently possible but it would be really useful, would you like to send a PR?

[Eomm]

The swagger-ui used under the hood does not support this kind of feature out of the box.

You can run this snippet to add it:

const fastify = require('fastify')({ logger: true })

const docPrefix = '/docs'

fastify.register(require('fastify-basic-auth'), {
  validate,
  authenticate: true
}).after(() => {
  fastify.addHook('onRoute', function hook (routeOptions) {
    if (routeOptions.url.startsWith(docPrefix)) {
      routeOptions.onRequest = fastify.basicAuth
    }
  })
})
function validate (username, password, req, reply, done) {
  if (username === 'admin' && password === 'admin') {
    done()
  } else {
    done(new Error('Winter is coming'))
  }
}

fastify.register(require('fastify-swagger'), {
  routePrefix: docPrefix,
  ....

And it works

@simon-tannai Would you like to integrate it in our plugin out of the box?
We could accept the onRequest hooks by input so users may provide it without the burden to listen for the onRoute hook

[zekth]

I'm +1 on hooks addition to the swagger-ui config.

[kalitas]

but this will lead that this check runs on every request made to the server..no?

[fornof]

yes, that is basic authentication. Generally basic auth is saved in the browser for additional requests so it is transparent to user.
I might store user/pass in environment variable or in a json file with hashed password, then check the hashes.