Authorization input

[Evanion]

I realise that this might not be specifically related to feathers-swagger. But we should be able to figure this out together, and add it to this repos installation instructions

Expected behavior

Input field in header that allows the user to add a token to be included with every request.

Actual behavior

No token gets added to requests

What I have done

• Installed current feathers-cli
• generated new app
• added featers-swagger as stated in readme
  customized docs.html to add a input#input_apiKey field to the header

app.js:

const swagger = require('feathers-swagger');
...
app.use(compress())
  .options('*', cors(corsOptions))
  .use(cors(corsOptions))
  .use(favicon( path.join(app.get('public'), 'favicon.ico') ))
  .use('/', serveStatic( app.get('public') ))
  .use(bodyParser.json())
  .use(bodyParser.urlencoded({ extended: true }))
  .configure(hooks())
  .configure(swagger({
    docsPath: '/docs',
    uiIndex: path.join(__dirname, '../docs/docs.html'),
    info: {
      title: 'Feathers app API server',
      description: 'This server allows... '
    }
  }))
  .configure(rest())
  .configure(socketio())
  .configure(services)
  .configure(middleware);
...

services/user/index.js:

module.exports = function() {
  const app = this;

  const options = {
    Model: user,
    paginate: {
      default: 5,
      max: 25
    }
  };

  const Service = service(options);

  Service.docs = {
    description: 'A service to manage users',
    definitions: {
      users: {
        "type": "object",
        "required": [
          "email",
          "password"
        ],
        "properties": {
          "email": {
            "type": "string",
            "description": "User email"
          },
          "password": {
            "type": "string",
            "description": "User Password"
          },
          "createdAt": {
            "type": "string",
            "description": "object creation date"
          },
          "updatedAt": {
            "type": "string",
            "description": "Last time the object was updated"
          }
        }
      }
    }
  };

  // Initialize our service with any options it requires
  app.use('/users', Service);

  // Get our initialize service to that we can bind hooks
  const userService = app.service('/users');

  // Set up our before hooks
  userService.before(hooks.before);

  // Set up our after hooks
  userService.after(hooks.after);
};

Oher notes

window.ApiKeyAuthorization is deprecated. we should use SwaggerClient.ApiKeyAuthorizationinstead
window.authorizations is deprecated. We should use SwaggerUi.api.clientAuthorizations.add()instead.

[Morriz]

I still don't see a field in the ui for this, nor am I seeing any token being taken from a response and reused. Any progress?

[longseespace]

You'll need securityDefinitions in your swagger config.

app.configure(swagger({
  docsPath: '/docs',
  uiIndex: true,
  security: {
    name: 'jwt',
    type: 'apiKey',
    in: 'header',
  },
  securityDefinitions: {
    jwt: {
      type: 'apiKey',
      name: 'Authorization',
      in: 'header',
    },
  },
}));

[ricardovf]

@longseespace After authorize, i get this error when i send a request to /message for exemple, via swagger interface... Any idea?

[ivanmarjanovic]

Hi,

I also get the same error with version 0.7.1. Up until now, I didn't find any way to work with authorized requests. Can anyone confirm that authorized requests are working?

[ivanmarjanovic]

If anyone is interested I did manage to solve this issue, by forking the repo and fixing the issue.

https://github.com/ivanmarjanovic/feathers-swagger

Swager Specification is now inline with 2.0 version documentation

https://swagger.io/docs/specification/2-0/authentication/

Correct usage on a global level is:

security: [
    {
     APIKeyHeader: []
    }
  ],
securityDefinitions: {
    APIKeyHeader: {
      type: 'apiKey',
      name: 'Authorization',
      in: 'header'
    }
 }

Also for every service you want to protect you need to add additionl parameter that states which methods are protected.

securities: ['find', 'create', 'get', 'update', 'patch', 'remove'],

Works with Swagger UI/Editor default implementation.

[gabrielperales]

@ivanmarjanovic why you didn't PR it?

[ivanmarjanovic]

Hi @gabrielperales,
I did, since version 0.7.2 it should be in main repo. I didn't had time check but it should work.
Also I have one more fix that i have found in mean time and i am thinking to extend functionality with option to ignore specific methods of service from swagger (in case that e.g. update and patch are not used on service). Not sure that such PR will be accepted "as is".

[gabrielperales]

@ivanmarjanovic ok cool, for some reason it was not working for me with the code from this repo but it worked with yours. I just have double check and now it is working... not sure what I have changed.

[Mairu]

Definition of authentication should work with version 1.0.0 there is also an example with security definitions.