Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding API Key doesn't appear to do anything #13

Open
sunnyrjuneja opened this issue Apr 16, 2015 · 17 comments
Open

Adding API Key doesn't appear to do anything #13

sunnyrjuneja opened this issue Apr 16, 2015 · 17 comments
Labels

Comments

@sunnyrjuneja
Copy link

Hi,

My initializer looks something like this:

GrapeSwaggerRails.options.tap do |o|
  # other details omitted
  o.before_filter do |request|
    authenticate_with_http_basic do |user, pass|
      user == ENV['basic_auth_username'] && password == ENV['basic_auth_password']
    end
  end
  o.api_auth     = 'bearer'
  o.api_key_name = 'Authorization'
  o.api_key_type = 'header'
end

When I fill in my API key and try to explore the API, my API returns that I'm not authenticated. Chrome headers show my response looks like this:

Remote Address:127.0.0.1:3000
Request URL:http://api.rails-app.dev:3000/users/me
Request Method:GET
Status Code:401 Unauthorized
Request Headersview source
Accept:application/json
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Type:application/json
Cookie:_Swyp_session=eUJVWkFkVDBsY0JUM2lsUlJmK1l3ekZSZkYzWkJob0RtdnZCeS9WVnRzMzYrSWZWY3IrRHk3OG5CWGRoblE1eWdCaEJSZEtQYU8rSk1yci9CLzJsZEFGQWNLYVBia01mbXNBeGViZkxkbWlhc3pDVXg5K0FFa2lJbzFMVTAvTlZKbVNOcmwzLzBwNHJaVVJUT2U0eVZRPT0tLWMwYkZDRVZjT3I0VjYwdzVXY05CakE9PQ%3D%3D--ce1311b8a602a03f272492ae3cdd2b9576bacced
Host:api.rails-app.dev:3000
Referer:http://api.rails-app.dev:3000/swagger
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/39.0.2171.65 Chrome/39.0.2171.65 Safari/537.36

The swaggerApi object doesn't appear to be including any authorization handlers either.

SwaggerApi {url: "http://api.rails-app.dev:3000/swagger_doc", debug: false, basePath: "http://api.rails-app.dev:3000/swagger_doc", authorizations: null, authorizationScheme: null…}

image

My Gemfile.lock looks like this:

    grape (0.10.1)
      activesupport
      builder
      hashie (>= 2.1.0)
      multi_json (>= 1.3.2)
      multi_xml (>= 0.5.2)
      rack (>= 1.3.0)
      rack-accept
      rack-mount
      virtus (>= 1.0.0)
    grape-entity (0.4.5)
      activesupport
      multi_json (>= 1.3.2)
    grape-swagger (0.10.1)
      grape (>= 0.8.0)
      grape-entity
    grape-swagger-rails (0.1.0)
      grape-swagger (>= 0.7.2)
      railties (>= 3.2.12)

I looked around in the code to try to debug this myself but I couldn't quite figure out where the options were being read.

@dblock
Copy link
Member

dblock commented Apr 16, 2015

@dblock dblock added the bug? label Apr 16, 2015
@osuthorpe
Copy link

I am having this same issue and I am not using a custom template

@Ninigi
Copy link

Ninigi commented Aug 17, 2015

Any news on this?

@dblock
Copy link
Member

dblock commented Aug 17, 2015

@osuthorpe @Ninigi Do you have a project in which this is reproduced that we can see?

@sunnyrjuneja
Copy link
Author

@dblock I do not. I'm creating a project to reproduce this now.

@Ninigi
Copy link

Ninigi commented Aug 18, 2015

@dblock there is a project, but I do not own it, so I don't know if I can show you. However, after looking at your javascript I realised it was mainly my bad.

The handler for adding the api key to the requests is bound to a $.change listener, which is of course only triggered if I actually CHANGE the field after a reload (most browsers will fill it with the last value, which will not trigger the change event)...

I had it running for a while and then did something, I am still not sure what, to break it again, but again I think it's my own fault :)

@dblock
Copy link
Member

dblock commented Aug 18, 2015

I'll wait to hear from @whatasunnyday.

@sunnyrjuneja
Copy link
Author

@dblock Please let me know if there's anything else I can do to clarify the problem.

https://github.com/whatasunnyday/gsr-api-key

@dblock
Copy link
Member

dblock commented Aug 19, 2015

This took me a while.

The header auth information is properly added by the UI where it should be.

screen shot 2015-08-18 at 8 12 40 pm

However, Swagger-UI doesn't use it. As soon as the endpoint has authorizations: oauth2, it overrides any authorizations set.

screen shot 2015-08-18 at 8 18 05 pm

I didn't dig through the code, it could be as simple as a key/name conflict or maybe this is by design? Maybe you can try and take it from here?

@dblock
Copy link
Member

dblock commented Aug 19, 2015

I think this should be reproducible with a test here now (get an endpoint in spec/dummy to return authorizations: oauth2. Then add a spec in spec/features/swagger_spec.rb. That alone would be useful.

Then, I have updated https://github.com/TinkerDev/grape-swagger-rails to the latest https://github.com/swagger-api/swagger-ui. To debug this I substitute swagger-ui.min.js by swagger-ui.js from https://github.com/swagger-api/swagger-ui.

@sunnyrjuneja
Copy link
Author

@dblock thank you very much for putting time into this. i'm not entirely sure where the fix would live. do you think is this an issue with grape-swagger-rails, grape-swagger or wine_bouncer?

@sunnyrjuneja
Copy link
Author

also, i'm happy to take this on now that you've helped me find the bug. thanks again.

@dblock
Copy link
Member

dblock commented Aug 19, 2015

I think this is a bug with swagger-ui, but it will be much easier to reproduce here, that's what you should do IMO first.

sunnyrjuneja pushed a commit to sunnyrjuneja/grape-swagger-rails that referenced this issue Aug 19, 2015
It appears that Swagger-UI correctly sets an authorization header when
added in the interface (api key field). However, if the endpoint has
the option "authorizations" set with "oauth2", it will override the
value. See ruby-grape#13.
@sunnyrjuneja
Copy link
Author

@dblock Let me know if there's anything I can do to improve the PR.

sunnyrjuneja pushed a commit to sunnyrjuneja/grape-swagger-rails that referenced this issue Aug 25, 2015
It appears that Swagger-UI correctly sets an authorization header when
added in the interface (api key field). However, if the endpoint has
the option "authorizations" set with "oauth2", it will override the
value. See ruby-grape#13.
sunnyrjuneja pushed a commit to sunnyrjuneja/grape-swagger-rails that referenced this issue Aug 25, 2015
It appears that Swagger-UI correctly sets an authorization header when
added in the interface (api key field). However, if the endpoint has
the option "authorizations" set with "oauth2", it will override the
value. See ruby-grape#13.
@sunnyrjuneja
Copy link
Author

To debug this I substitute swagger-ui.min.js by swagger-ui.js from https://github.com/swagger-api/swagger-ui.

@dblock Going to give it a go. How did you go about doing this? Did you have to fork the gem and replace it there or is there a simpler way?

@dblock
Copy link
Member

dblock commented Aug 27, 2015

I just copied the file into this project.

@mikdiet
Copy link

mikdiet commented Nov 30, 2015

I have this issue too on v0.1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

6 participants