You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the Swagger definition does not specify the schemes and no --default-scheme is specified on the CLI go-swagger will currently choose HTTP. Would you be open to changing this default --default-scheme to HTTPS?
The benefit to using HTTPS as the default is it is more secure. The downside is that changing this might break existing users that expect the default --default-scheme to be HTTP.
Background
In grpc-ecosystem/grpc-gateway#1069 we changed grpc-gateway so that it only adds a schemes key to the Swagger definition if the user explicitly specifies one or more schemes. This was done to support generating a Swagger definition with no schemes (which means to use the scheme used to access the definition itself).
We tested a few generators and in the case of go-swagger we found that this would cause clients to start using HTTP instead of HTTPS. Hence this issue.
Swagger specification
Any Swagger definition without schemes will do:
swagger: "2.0"info:
version: "1.0"title: "Hello World"paths:
/hello:
get:
description: Returns a hello message.responses:
200:
description: The hello message.schema:
type: string
Steps to reproduce
Generating a client with ./swagger_linux_amd64 generate client -f hello_world.swagger.yaml will produce a client that uses HTTP:
Problem statement
When the Swagger definition does not specify the schemes and no
--default-scheme
is specified on the CLIgo-swagger
will currently choose HTTP. Would you be open to changing this default--default-scheme
to HTTPS?The benefit to using HTTPS as the default is it is more secure. The downside is that changing this might break existing users that expect the default
--default-scheme
to be HTTP.Background
In grpc-ecosystem/grpc-gateway#1069 we changed
grpc-gateway
so that it only adds aschemes
key to the Swagger definition if the user explicitly specifies one or more schemes. This was done to support generating a Swagger definition with no schemes (which means to use the scheme used to access the definition itself).We tested a few generators and in the case of
go-swagger
we found that this would cause clients to start using HTTP instead of HTTPS. Hence this issue.Swagger specification
Any Swagger definition without
schemes
will do:Steps to reproduce
Generating a client with
./swagger_linux_amd64 generate client -f hello_world.swagger.yaml
will produce a client that uses HTTP:Environment
The text was updated successfully, but these errors were encountered: