Reading response headers in Swagger-ui

[Bert Verhees]

I am using swagger 2.1.0. I am able to send a header in a request, thanks to the example: https://github.com/swagger-api/swagger-ui#http-methods-and-api-invocation

But now my question, the key which is to send with this example-call is to be received in a header of the previous response.

How can I read the headers of the previous response, so I can extract the value to send?

Maybe better, more simple question: How can I read the headers which come with a response?

Thanks Bert

[Bert Verhees]

An alternative question is, how do I read a set-cookie to send back the same cookie contents?

Please, I would welcome very much a small code-example which fits in swagger-ui

Thanks
Bert

Op donderdag 18 juni 2015 17:33:15 UTC+2 schreef Bert Verhees:

[Josh Ponelat]

Hi Bert,

Regarding the set-cookie... is you server on different domain from swagger-ui? ie: CORS?

Cookies fall under the 'credentials' restriction in CORS, and you would simply need to setup the server to allow credentialed requests (At least Access-Control-Allow-Credentials: true, and explicit domain name in Access-Control-Allow-Origin: 'http://example.com', you won't be able to use '*' )

With a little tweak in swagger-ui, we can send back the cookie that was sent by your server. However, as regards reading your cookie... I don't believe thats possible with CORS, but I could be wrong on that count.

I'll post an example of sending cookie back from swagger-ui's side. You'll still need to configure your server for the rest. https://github.com/swagger-api/swagger-ui/blob/master/README.md#enabling-cors

> Also bare in mind, that cookies are /not/ sent over CORS with IE < 10 - Microsoft doesn't allow it.

Regarding, reading of response headers. Similar restrictions apply for CORS and you would have to expose custom headers. (Acess-Control-Expose-Headers: x-your-header, x-another)

There is an responseInterceptor options in the constructor, which mutates the  object for swagger-ui, post request. If the cookie option doesn't work for you, we can make an example of the responseInterceptor.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Josh Ponelat]

The needed changes in swagger-ui for sending back cookies over CORS.... https://gist.github.com/ponelat/bda3422d00734d4fc9fa

[Josh Ponelat]

Just take care, that if you include the above snippet and your server isn't configured for it, you'll get a CORS error in your browser. ie: you can't use that snippet for both servers with credentials and without.

[Bert Verhees]

Thanks Josh, if I can just send the same cookie back, I would be very thankful.

I take care that swagger and the server keep on running on the same server/port number, so then it should remain CORS compatible.
In fact, I like this restriction.

I was looking through the swagger-code yesterday and the day before, but I am really not good with Javascript, not much experience, else I would have done it myself.

I explain to you why I need it so hard.

I built the server myself, and it prefers cookies to exchange the session Id which changes at every call for security reasons.
But if the server discovers that there are no cookies coming back it takes a look in the headers if there is a header containing that session Id.
I cannot escape the sessionId-concept, because I have a pure Role Based Access Control (RBAC), which has as advantage that it has only a very small number of permissions/roles to check.
The number of users logged in to a system is always greater or equals to the number of Roles logged in.
It is less demanding authorization mechanism.

So I need this cookie functionality, or if that is more convenient, the resending header-item very bad.

Thank you very much for helping me in this issue.

Best regards,
Bert Verhees



Op vrijdag 19 juni 2015 08:12:46 UTC+2 schreef Josh Ponelat:

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

[Josh Ponelat]

If your server and swagger-ui are on the same protocol/host/port then cookies /should/ be sent along with every request.

I've just tested this using node.js server and the latest swagger-ui.

I'm sending no CORS headers... here is a screen shot of the request/response...

Note that the Set-Cookie is the new cookie coming in, and the Cookie is the previous cookie getting sent back.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

[Josh Ponelat]

PS: no modifications were done to swagger-ui

[Bert Verhees]

Thanks Josh, I am testing it.

I just modified the index.html, like you showed, so it should work, but I discovered I had a cookie-domain problem on the server, so I repaired that first.

Do I need to change something in the swagger.json, I use to load my API?

Op vrijdag 19 juni 2015 09:32:26 UTC+2 schreef Josh Ponelat:

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

[Josh Ponelat]

1) If you have the server and the client on the same domain/port, you should not need to change anything in the index.html file or the server for that matter. Cookies should go back and forth normally.

2) If they are on different domains, then you can modify the index.html to account for that.

3) Modifying the swagger.json file would only be necessary if you use the `security` and `securityDefinition` declarations. As they control which authentications swagger-ui should execute. However by default, swagger-ui will execute /all/ auths if no `security` declarations exist.

I don't think 2) and 3) apply, as they are for CORS only.

Let me know you you proceed :)

Josh

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

[Bert Verhees]

Maybe it is the "Discard"-setting (Max-Age=-1) that causes the problem?

-1 means, live as long as the user-agent (browser) lives, it is in Restlet the default setting.
0 means, destroy immediately
>0 means, live as long a the number is.

-1 is the most convenient setting for session cookies, and it is according to RFC2965

[Bert Verhees]

Sorry I removed the message with the images, it did not feel secure to leave them there.

Op vrijdag 19 juni 2015 15:44:33 UTC+2 schreef Bert Verhees:

I messed up the index.html script, this happens when one tries all kind things at te same time.

But it is now, like this and still does not send a cookie

<script type="text/javascript">
    $(function () {
      var url = window.location.href;
      if (url.indexOf('#') != -1) {
        url = url.substr(0, url.indexOf('#'));
      }
      url = url.substr(0, url.lastIndexOf('/')) + "/swagger.json";

      window.swaggerUi = new SwaggerUi({
        url: url,
        useJQuery: true,

    dom_id: "swagger-ui-container",

        authorizations: {
                makeCredentialed: function() {
                        this.xhrFields = {withCredentials: true}; // The important bit, along with useJQuery
                        return true;
                }
        },
 supportedSubmitMethods: ['get', 'post', 'put', 'delete', 'patch'],
        onComplete: function(swaggerApi, swaggerUi){
          if(typeof initOAuth == "function") {
            initOAuth({
              clientId: "your-client-id",
              realm: "your-realms",
              appName: "your-app-name"
            });
          }

          $('pre code').each(function(i, e) {
            hljs.highlightBlock(e)
          });

        },
        onFailure: function(data) {
          log("Unable to Load SwaggerUI");
        },
        docExpansion: "none",
//        apisSorter: "alpha",
        showRequestHeaders: true
      });

      
      window.swaggerUi.load();
       
      function log() {
        if ('console' in window) {
          console.log.apply(console, arguments);
        }
      }
  });
  </script>

[Josh Ponelat]

I've been trying to figure this out. But unfortunately, I can't see the issue (I'm no expert when it comes to HTTP headers).

What I can suggest is try a local server first, and confirm that swagger-ui does what you expect.

I can send you an ajax sample (no swagger just javascript + jquery) which should send cookies just as well. You can use this minimal example to test against your server and then use swagger-ui after you've managed to reach success.

I'll send it shortly...

[Josh Ponelat]

Attached is a bare minimal file (a bit messy, but still minimal)

That makes a request.. when I host it on a server (same protocol/domain/port).

This sends the cookies back. If you have this working, its a foundation and perhaps we can find the issue.

I'm off for today, but don't hesitate to send us and email... If I can't solve this I'm sure someone else can.

Josh

[Bert Verhees]

The swagger-page is hosted on the same host, and same port as the rest-API is running.

So that cannot be a problem.

Bert

[Bert Verhees]

In fact, it seems easy to me, if one knows where to inject the needed functions.

At the point where the "Try it Out" button is pressed, there must be some "setCookie" code which creates and sets a cookie in the request, filled with global variables regarding domain, etc.
At the point where the response is ready receiving, there must be a getCookie which fills the global variables.

My problem is that I don't know were that would be in the enormous amount of code.

So if you could help me finding these spots, I could as well program it in the lib-code, but better of course would be if it could be get injected via the index.html.

Bert

Op zaterdag 20 juni 2015 01:49:22 UTC+2 schreef Bert Verhees:

[Josh Ponelat]

Cookies don't get explicitly attached to requests.. that is handled by the browser - which sends them based on your browser settings and other restrictions.

You can forcibly set the 'Cookie' header in requests, but this mostly has mixed results.

Does your cookie data need to be modified, once its on the client? Or can it be sent... as-is back to the server?

The above html page, is simply for testing whether cookies get sent back and forth on /any/ system. Not just CORS related.

So, host that file from the server and direct your browser there. Have a look in the network tab, to see if cookies are getting sent back and forth. You will need to tweak the URL to be correct.

-

Cookies can be written and accessed (sometimes, as there are a few restrictions) from

`document.cookie` magic getter/setter.

to write a cookie....

`document.cookie = 'swagger=cool; Path=/'`, note it will not overwrite other cookies despite how it looks.

to read...
`var myCookieValue = document.cookie.swagger`

You're welcome to experiment with this, by outputting the results into the console tab of your browser like so....Add this in the onSuccess callback in the index.html.

console.log('MyCookie is ', document.cookie.YourCookie);

--

[Bert Verhees]

That is true, but most browsers allow cookies, the Internet is for a major part unusable without.

Can you help me with the related question I posted yesterday in this thread?

https://groups.google.com/d/msg/swagger-swaggersocket/S2qpIACm4NE/TQc_TubXnlAJ