Hi,
We’d like to host out swaggerUI but it’s sitting behind an AWS API Gateway. I know about prependSecurity, but the swaggerUI makes additional requests. I’ve reviewed issues: 85, 136 & 474, but those don’t seem to provide a full answer.
We tried creating the endpoints (w/some SwaggerUIOptions) and then mapping over the generated endpoints and adding prependSecurityPure. That doesn’t seem sufficient. Even if that were sufficient, we likely need to open up certain paths on the AWS API Gateway.
Ideally, we could add our JWT token to all those requests (or if they’re simply for static content maybe just let them through w/o an authorizer).
Hi @adamw!
Thanks for the prompt reply. We love the SwaggerUI, we just want to be able to access it in prod too – which is behind an AWS API Gateway. Said API gateway blocks all requests by default and we need to carve out exceptions by path (default for /api/ where swagger sits is to require a JWT auth token). In addition, we expect there are GET requests for e.g. images and styles, so I don’t think that prependSecurity on its own gets us all the way to working in production behind an API Gateway.
What I would like is:
How we identify the other endpoints we need to open up?
Whether we can secure those with a JWT token or have to leave them wide open.
Hope that makes sense. I’m expecting this information (no code change anticipated) will be helpful not only to us but also to others.
I guess this depends how you exactly expose SwaggerUI and where the docs live. If the SwaggerUI is available under the /api/docs path, for example, then all requests for HTML, CSS, JS, images will hit children of this path. So one options is to simply configure that path as available.
If you need to customise the endpoints that are used to expose SwaggerUI, as described here, the SwaggerInterpreter().fromEndpoints gives you a List[ServerEndpoint[Any, F]], which handle requests for the HTML and all resources. So if you prepend any security for them, this will also apply to stylesheets etc. I suppose this might also include “static” verification of JWT tokens, based on header values?
If this still doesn’t work, maybe you could share a code example, it will be easier to work on a specific case.