Issue

Swagger specs are exposed at the relative path on the dev portal /swagger/spec/<system_name>.json and this is not protected. If the spec should only be accessible to internal users for example then this presents a security issue as any user including non-logged in users can access the JSON spec.

Current workaround

Host the specs that should be protected directly on the CMS as a JSON file under the appropriate section protected by conditional logic checking for logged in state and group membership.

Pros & Cons

• the specs cannot be imported or updated via API
• the private & internal documentation will not be exposed on the public URL mentioned in the issue.

Suggested solution

The spec can have predefined permission levels configured from the UI such as;

• visible to logged in users only
• groups configured can be given access to the relevant specs

Pros & Cons

• Could be complex to implement
• Greater granularity and control over internal and security-sensitive API specs
• Would reduce the amount of custom liquid logic required to control visibility to certain ActiveDocs