php-crud-api
php-crud-api copied to clipboard
mevdschee
security configuration in openapi spec
I want to have the API docs open and visible for everyone, but some endpoints i want to be protected and should show a lock next to it like here https://petstore.swagger.io is this possible in current implementation?
It requires a 'security' specification in the openapi json. In the current implementation this is not possible as you need to somehow specify that exposing the existence is not a security breach. Such fine grained control is not implemented. It is either allowed (in which case it is shown) or not, in which case it is hidden. I hope you understand the reasoning.
You can use the 'openApiBase' config parameter to add default configuration to the openapi spec.
The way I would envision this was, if auth is setup then all routes are with a lock and can't be tested without keys, rather than hidden them, but I understand that isn't working like that, thanks again for your reply really appreciate it!!
I understand your reasoning and it can be implemented.
But with the current implementation it would expose the existence all non-visible tables and columns as there is only a boolean defining whether or not a table or column should be exposed during a session.
Piggying back on this... would it be possible to make the /openapi endpoint world-readable when authorization middleware is used?
@Niek: allow the 'document' permission, see: https://github.com/mevdschee/php-crud-api/blob/3161ca4f1fd45d0f7fa7f4e2d7a2dfa0c3aa27cf/src/Tqdev/PhpCrudApi/RequestUtils.php#L48
@mevdschee correct me if I'm wrong, but that is to hide certain tables from the documentation, right? As far as I see it can't be used to make the /openapi endpoint accessible without being logged in.