Here are some details:
We have a relatively simple Rails application that powers an analytics dashboard. In order to log into the application, a user goes through a login process, and a session cookie is set for this user.
When the user requests a dashboard screen, the API is called to get time series data about a given object. This session cookie is passed, and a JSON result is returned. Here is an example of a working script (with the session cookie values modified):
curl 'https://app.authenticated.digital/analytics/custom?fields=platform%2Cexchange%2Ctotal&sorts=-total&limit=50&page=1&granularity=all&start_date=2016-06-14&end_date=2016-06-15' -H 'Accept-Encoding: gzip, deflate, sdch, br' -H 'Accept-Language: en-US,en;q=0.8' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36' -H 'Accept: application/json' -H 'Referer: https://app.authenticated.digital/analysis/all/authentic_dsp/' -H 'Cookie: remember_user_token=fjsdlkfjsdlkfjsdlkfjsldkfjsldkfj--dlsdjflsdifjlsdkfjdslkfjsdlf; _admin_session=flkjsdflksdjflksdjflksdjflksdjfldksfjsldkfj--dfkjsdlfkjdsflksdjflksdjfd' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' --compressed
When SwaggerHub uses XHR to pass in the request, the cookies are not passed, so I receive a 401 not authorized error.
I have read in the forums that there may be the ability to pass cookies (e.g. with-credentials: true) by passing in "enableCookies: true" in the Swagger definition file. This does not seem to work.
I'd like to be able to set a flag somewhere in the Swagger definition file to instruct XHR to pass cookies with the JSON request.
Thanks!
P.S. I know that using cookie based authentication is not the preferred method of auth, but one FANTASTIC application of Swagger is to document existing API that may have been written in this way - and I would imagine that a large percentage of API's implement authentication this way. Two popular examples are JIRA and Wordpress.
OK I think I get it--but how are you entering your cookie values from the UI (assuming the interactive UI in swaggerhub)?
The auth cookies are set after successful authentication from the UI of our app on (for example) www.mydashboard.com. The cookie domain is for *.mydashboard.com. Therefore, my workflow would be as follows:
1. Log into www.mydashboard.com. Auth cookies will be set in the browser.
2. Open a new tab and go to swaggerhub.com, and navigate to my API.
3. "Try it out" and allow swaggerhub.com to make an XHR request to api.mydashboard.com.
The expected behavior is that cookies are sent for this request. They are not being sent because the "withCredentials = true" flag is not being set from the instance of Swagger being hosted at SwaggerHub.
More information is here:
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
What I am asking for is the ability to instruct the version of swagger on swaggerhub to modify their XHR request to pass with credentials = true. Perhaps this should be part of the spec?
Hi switzer,
I think I might know what's happening...
There is an issue with Cookies, that we have an initial ( not ideal ) solution.
SwaggerHub.com uses cookies to keep a session active for users. As such, cookies get sent back and forth between the "Try it out" form and the internal proxy ( the proxy is there to circumnavigate CORS issues).
Since many servers can be quite strict in what headers they receive, we've had to ensure that our cookie sessions don't follow the request.
So our intermediary solution is the Authentication system.
If you define a securityDefinition followed by a security in each operation that needs authentication, then you can "log in" with the Try it out form. What it does is add a header ( or query ) of your choosing to each request. Unfortunately, ( and this is the "not ideal" part). You'll have to make this a two part process.
> For the `securityDefinitions` and `security` in your schema... exmple: https://swaggerhub.com/api/ponelat/with-cookies/1/edit and reference: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityDefinitionsObject
Once you've set it up..
1. Get your cookie string by calling your endpoint, then looking at the Response Headers for "set-cookie"
2. Authenticate your session by clicking on the "Authorize button"
2.1 Then you can paste your cookie string. And subsequent requests ( that have the security property ) will include the Cookie header.
Happy Developing!
Josh
FWIW I installed Swagger UI on my machine, and the API works as expected when I load the UI as a file://...
When i load as "http://localhost:8080..." it does not work.
Separately, we rolled out our API with an API key, so I am going to pursue this path instead.
