Add CORS headers for swagger/openapi endpoints so that the spec can be rendered with petstore.swagger.io

[b-admike]

Add /swagger-ui which would redirect users to the online SwaggerUI instance with the app's OpenAPI spec loaded and CORS enabled so they could access their endpoints from it.

Description

Related issues

• closes Add CORS support to swagger/openapi endpoints #506

Checklist

• New tests added or existing tests modified to cover all changes
• Code conforms with the style
  guide

[bajtos]

I am afraid this pull request makes very little sense to me.

Even if we decide to include GET /explorer endpoint on LoopBack apps, then I think this should be contributed by an "explorer" extension, it should not be built into core/rest layer.

Maybe I misunderstood your intentions, what am I missing?

[bajtos]

IMO, we need to set Access-Control headers inside _serveOpenApiSpec, not here. GET /explorer would be invoked from the browser as a regular request for an HTML page.

[b-admike]

I think the purpose of the story was to allow CORS for all endpoints defined by an application's OpenAPI spec, so that users can test them out using the SwaggerUI instance. With that in mind, I think it should still be set in this method, otherwise it will only be allowed for the /swagger.{json,yaml} or /openapi.{json,yaml} endpoints. Two things I'm not sure of though are if there are any security implications by doing so, and if we should allow it to be set by our application developers.

[bajtos]

In LoopBack 3.x, /explorer was opening SwaggerUI, not the editor.

[bajtos]

This is the live SwaggerUI instance that people can use to get Explorer-like view of their API: http://petstore.swagger.io/

[b-admike]

@bajtos Thank you. I was thinking we could use /explorer endpoint temporarily built into core, but I agree in making an extension for it. This is just an initial commit to get feedback early.

[raymondfeng]

I don't think replace will change appUrl at all.

[b-admike]

Good catch. I will fix it pending on discussion of #570 (review).

[raymondfeng]

This is wrong. We should not deal with redirect here for the swagger/openapi endpoint. Our responsibility is to serve specs.

[b-admike]

Maybe I misunderstood the story, but I thought we should do it as part of the following acceptance criteria:

Pass generated swagger.json to editor.swagger.io so that users can leverage the existing editor tools on their local application.

@kjdelisle thoughts?

[kjdelisle]

That was my understanding, too. @raymondfeng How do we pass the information along to the server at editor.swagger.io without modifying the request?

[raymondfeng]

There are two separate concerns:

1. Have endpoints from LB to serve openapi/swagger specs
2. A UI to render the spec as api explorer

Most UI such as editor.swagger.io has an option to import URL or set the location. If we want to use redirect to editor.swagger.io, the path should not be /swagger.json. At lease we need to have something like /swagger.json?ui=true. It should NOT be replacing 1 at all.

For the GA version, we'll have /explorer to serve the UI.

[b-admike]

Okay it makes sense to me now that we need to preserve the /{openapi,swagger}.{json,yaml} endpoints. I will take a crack at implementing /swagger.json?ui=true.

[raymondfeng]

The hostname and port should be default the Host header of the http request. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host

[bajtos]

Unfortunately, this will not work in production(like) environments, where the app is running behind a load balancer (nginx, Amalgam8, etc.). The Host header of the http request will be showing the internal hostname not accessible from outside. We could use X-Forwarded-* family of headers to determine the real public host, but I think it's not worth the effort.

[bajtos]

Maybe I misunderstood the story, but I thought we should do it as part of the following acceptance criteria:

Pass generated swagger.json to editor.swagger.io so that users can leverage the existing editor tools on their local application.

Sorry for the confusion!

As I understand this CORS related story, we need to add CORS headers to /swagger* and /openapi endpoint responses so that people can open Swagger UI or Swagger Editor SPA (single-page app) running somewhere else and let it load swagger/openapi spec from their running LoopBack application by manually pasting http://localhost:3000/openapi.json (or similar) to that SPA. This is not possible right now: the browser will prevent the SPA from accessing http://localhost:3000/openapi.json, because the response from LoopBack-next does not allow cross-site requests.

[b-admike]

@bajtos Thank you for clarifying. Can you PTAL at the latest changes? (cc @raymondfeng @kjdelisle) If we expect the users to manually paste the swagger/openapi spec url into SwaggerUI, we can document how they can do that in our wiki.

[raymondfeng]

Is this intentional? The indentation seems to be wrong.

[kjdelisle]

Sorry if I missed it earlier, but is there a reason why we need the header to be *?

[kjdelisle]

If the header needs to be set to *, then LGTM, but I imagine that it should be a bit more restrictive than that, yeah?

[virkt25]

I get we need to set the Header for all endpoints for Swagger but I'm not sure if users would want that enabled in production, especially with the *. Can this be configurable / toggleable via options (ideally ENV variable)? / Can we look into (perhaps as a separate issue) look into turning this into a configurable component?

[raymondfeng]

We should follow the defaults described by http://loopback.io/doc/en/lb3/middleware.json.html#cors-settings.

Access-Control-Allow-Origin: <Origin request header>
Access-Control-Allow-Credentials: true
Access-Control-Allow-Max-Age: 86400

Please note CORS is only enforced by browsers and it's not a security concern for the server itself.

[b-admike]

@virkt25 I think for GA we are aiming to do that (see #488), so I'll leave it as is for now.

[bajtos]

-1 for depending on environment variables.

If you want a feature flag to controller this behaviour, then use app-level configuration, e.g. app.getSync('allow-cors-for-api-spec') here. Then it's up to the applications (or loopback-boot) to wire this binding to the value of process.env.ENABLE_CORS.

IMO, CORS should be always enabled for these endpoints.

[b-admike]

@bajtos Thank you for the insight. I think that can be done later, and I am fine for leaving them always enabled for now as well.

[bajtos]

I find it weird that a query parameter is changing the response so dramatically. Can we use a plain url path like /explorer or /swagger-ui instead?

[b-admike]

That makes sense to me. I will change it to /swagger-ui.

[bajtos]

http://loopback.io/doc/en/contrib/style-guide.html#one-argument-per-line or format the code using Prettier.

[bajtos]

The indentation of code does not match indentation of comments, PTAL.

[bajtos]

nitpick: perhaps _redirectToSwaggerUI would be a better name?

[b-admike]

Yeah I think that's a more descriptive name. 👍