swagger icon indicating copy to clipboard operation
swagger copied to clipboard

Published 20 hours ago verified publisher icon nestjs

Duplicated/Erroneous Authorization Field (Header field being used as a parameter)

Open mwarner1 opened this issue 9 months ago • 0 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Current behavior

I am using the @Headers("Authorization") annotation to inject that header into a method inside a TypeScript class, and it works as expected. However, NestJS is using this annotation and presenting it as a required header field, but then does not actually send that field in the API call.

I have main.ts configured so that the swagger UI page has the "Authorize" button, and entering a value there causes the token to be sent correctly.

const config = new DocumentBuilder()
        .setTitle("Some API")
        .setDescription("The API")
        .setVersion('1.0')
        .addBearerAuth({
            type: "http",
            scheme: "bearer",
            bearerFormat: "JWT",
            in: "header",
            name: "JWT",
            description: "Enter your Bearer token",
        }, "Authorization")
        .addSecurityRequirements("Authorization")
        .build();
    const documentFactory = () => SwaggerModule.createDocument(app, config);
    SwaggerModule.setup("v1/api", app, documentFactory);

However, that makes the value under Parameters unnecessary and even wrong (since it isn't sent anyway). In the screenshot below I did not use the Authorization button at the top of the screen to "Authenticate" in order to illustrate that the value in Parameters is not useful.

Image

@Controller()
export class UserCredentialController {
@Get(`/v1/auth/readlogin`)
async getOwnUserLoginInfo(@Headers("Authorization") authHeader: string) {
    if (!authHeader) {
        throw new UnauthorizedException("No authorization header found");
    }
    // Rest of code trimmed
}
// omitted

I have tried various combinations of @Api annotations to no avail. Ideally there would be a way to suppress the unused Parameters field. The closest I can get is to make the field optional using @ApiHeader({name: "Authorization", required: false}), but again, this is wrong since anything entered in that field isn't actually sent anyway.

Minimum reproduction code

https://github.com/mwarner1/swagger-bug-demo

Steps to reproduce

No response

Expected behavior

Swagger should not use @Header fields to define parameters.

Package version

11.0.1

NestJS version

4.0.0

Node.js version

20.16.0

In which operating systems have you tested?

  • [x] macOS
  • [ ] Windows
  • [ ] Linux

Other

No response

mwarner1 avatar Jan 17 '25 18:01 mwarner1