Cleanup APIs exposed via Swagger and CRUD end-points

[ihouvet]

Overview

Swagger is auto-generated, however even on a blank starter project, a large number of APIs are exposed and listed. This may look overwhelming and confusing. Some APIs should also not be exposed, some may even pose a security issue.

For example see the screenshot of some of the APIs listed below:

From the screenshot: - Yellow - do not have any endpoints and should therefore not be listed. - Pink - need review as to whether they should be exposed at all in the first place. - Red - Needs to be secured via permissions as it exposes the full list of Apis - Light Blue - return errors and should probably not be listed in any case. - Scratched out in red - I believe are actually redundant as they're based on the area entity which is obsolete. - Dark blue - should have limited CRUD functionality, for example, we should have get and get all but not update and create as these should be performed via controlled actions.

A full review of all the endpoints listed should be undertaken.

Acceptance Criteria

1. Hidden by default - To avoid CRUD endpoints inadvertently getting exposed and potentially posing a security risk, we may want to change the policy so that creation of CRUD endpoint requires an attribute to be added at the class level.
   • The attribute may indicate that it should be inactive by default but may be activated through configuration.
2. No APIs that have no endpoints where return errors should be listed.
3. Any APIs or endpoints that could pose a security risk should not be visible
4. Only users with the developer permission should be able to view Swagger