Details
-
Feature Request
-
Resolution: Can't Do
-
Major
-
None
-
2.0 GA, SaaS
-
0
-
0%
Description
Issue
Swagger specs are exposed at the relative path on the dev portal /swagger/spec/<system_name>.json and this is not protected. If the spec should only be accessible to internal users for example then this presents a security issue as any user including non-logged in users can access the JSON spec.
Current workaround
Host the specs that should be protected directly on the CMS as a JSON file under the appropriate section protected by conditional logic checking for logged in state and group membership.
Pros & Cons
- the specs cannot be imported or updated via API
- the private & internal documentation will not be exposed on the public URL mentioned in the issue.
Suggested solution
The spec can have predefined permission levels configured from the UI such as;
- visible to logged in users only
- groups configured can be given access to the relevant specs
Pros & Cons
- Could be complex to implement
- Greater granularity and control over internal and security-sensitive API specs
- Would reduce the amount of custom liquid logic required to control visibility to certain ActiveDocs