Skip to content

Passing Cookies to API endpoint #343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
klacointe opened this issue Nov 8, 2013 · 10 comments
Closed

Passing Cookies to API endpoint #343

klacointe opened this issue Nov 8, 2013 · 10 comments
Labels
type: feature
Milestone
v2.1-M2

Comments

@klacointe
Copy link

Hi,

I want to add a Cookie header to each requests made to the API, I tried this without success:

  window.authorizations.add(                                                                                                                                                                                     
    "Cookie",                                                                                                                                                                                                    
    new ApiKeyAuthorization("Cookie", '_key=COOKIE_VALUE', 'header')                                                                                          
  )

Is there any other solution to add Cookie headers?
@etiennea
Copy link

+1

@prantlf
Copy link
Contributor

prantlf commented Nov 24, 2013

You cannot add cookies to AJAX requests this way. Cookie and Set-Cookie are special headers which are handled by the web browser's XMLHttpRequest.

Cookies can be sent, received, stored and deleted by XMLHttpRequest automatically; just like it happens with the "synchronous" requests - HTML pages, for example. You need a web browser with support for the XMLHttpRequest II and set XMLHttpRequest.withCredentials = true. However, the library used by swagger for the network communication (shred) doesn't do it; you'd have to modify it.

@jjchiw
Copy link

jjchiw commented Jul 3, 2014

This is very old, but this is how I made it work in my environment......

I had the same need so I just added this two lines in swagger.js before the if statement https://github.com/wordnik/swagger-ui/blob/master/dist/lib/swagger.js#L1208

I didn't know how to change de useJQuery boolean to true, so I just hard coded, yes it looks very awful. But It works

obj.useJQuery = true;
obj.xhrFields = { withCredentials: true };

@fehguy
Copy link
Contributor

fehguy commented Jul 11, 2014

ok, we've recently merged swagger-api/swagger-js#102 which makes the useJQuery flag work fully.

When constructing the Swagger UI, just pass the useJQuery=true:

new SwaggerUi({
      url: "http://petstore.swagger.wordnik.com/api/api-docs",
      dom_id: "swagger-ui-container",
      useJQuery: true

@fehguy fehguy closed this as completed Jul 11, 2014
@lucups
Copy link

lucups commented Jul 21, 2014

+1

@fishermand46
Copy link

I don't understand how this helps with passing cookies to the endpoint? Can someone give me a code example of how to do this? Thanks.

@prantlf
Copy link
Contributor

prantlf commented Jan 14, 2015

The referenced commit lets you use the $.ajax for whatever reasons. It does not turn on sending cookies in the XMLHttpRequest by default. And it should not be done - the server needs to confirm it and if it does not, which is the default behaviour, the entire AJAX call fails. It is a protection against XSRF attacks; only some REST APIs perform the authorization using cookies, usually only partially. See withCredentials & Access-Control-Allow-Credentials.

You should still set jqxhr.xhrFields = { withCredentials: true } or xhr.withCredentials = true somewhere. An ugly solution would be modifying the JQueryHttpClient's execute method to do it before calling $.ajax. Optimally the SwaggerUi could include an additional option for this, for example:

new SwaggerUi({
      url: "http://petstore.swagger.wordnik.com/api/api-docs",
          dom_id: "swagger-ui-container",
          useJQuery: true,
          withCredentials: true,
         ...

If the ShredHttpClient could not be modified to support it, it would work only for the JQueryHttpClient.

A solution without modifying Swagger would be registering an $.ajaxTransport for all data types, creating a usual XMLHttpRequest instance there and set the withCredentials flag on it right away.

I think that the SwaggerUi should offer a flag for it, unless it allows you to access the $.ajax instance or to propagate options to it somehow.

@fishermand46
Copy link

Thanks for the detailed explanation. I appreciate it. :)

@prantlf
Copy link
Contributor

prantlf commented Jan 14, 2015

No problem :-) Actually, if you want this fixed, you might consider reopening this issue. I don't think that the cookie authentication works in with the vanilla swagger-ui.

(I don't need it anymore, because the REST API I've been working with stopped using the cookie authentication to prevent possible XSRF attacks.)

@fehguy fehguy reopened this Jan 16, 2015
@fehguy fehguy added this to the v2.0.25 milestone Jan 16, 2015
@fehguy fehguy modified the milestones: v2.0.25, v2.1.0-M2 Jan 28, 2015
@mohsen1
Copy link
Contributor

mohsen1 commented Mar 6, 2015

Closing in favor of #461

@mohsen1 mohsen1 closed this as completed Mar 6, 2015
@peilin peilin mentioned this issue Apr 16, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: feature
Projects
None yet
Milestone
v2.1-M2
Development

No branches or pull requests
8 participants
@klacointe @fehguy @mohsen1 @jjchiw @prantlf @etiennea @lucups @fishermand46