security configuration in openapi spec #528
Comments
|
It requires a 'security' specification in the openapi json. In the current implementation this is not possible as you need to somehow specify that exposing the existence is not a security breach. Such fine grained control is not implemented. It is either allowed (in which case it is shown) or not, in which case it is hidden. I hope you understand the reasoning. You can use the 'openApiBase' config parameter to add default configuration to the openapi spec. |
|
The way I would envision this was, if auth is setup then all routes are with a lock and can't be tested without keys, rather than hidden them, but I understand that isn't working like that, thanks again for your reply really appreciate it!! |
|
I understand your reasoning and it can be implemented. But with the current implementation it would expose the existence all non-visible tables and columns as there is only a boolean defining whether or not a table or column should be exposed during a session. |
|
I'll convert this to a feature request for future reference. |
mevdschee
changed the title
|
Piggying back on this... would it be possible to make the /openapi endpoint world-readable when authorization middleware is used? |
|
@Niek: allow the 'document' permission, see: |
|
@mevdschee correct me if I'm wrong, but that is to hide certain tables from the documentation, right? As far as I see it can't be used to make the /openapi endpoint accessible without being logged in. |
I want to have the API docs open and visible for everyone, but some endpoints i want to be protected and should show a lock next to it like here https://petstore.swagger.io is this possible in current implementation?
The text was updated successfully, but these errors were encountered: