[英].Net Core Swashbuckle skip authorization header on redirects
In a .Net Core web API I integrated Swagger using Swashbuckle.在 .Net Core Web API 中,我使用 Swashbuckle 集成了 Swagger。 The API is protected so one will need to authorize and login before doing some requests in the Swagger UI.该 API 受到保护,因此在 Swagger UI 中执行某些请求之前,需要进行授权和登录。 This all works great.这一切都很好。
Now one API call creates a presigned URL and returns an HTTP redirect to the file server (the presigned URL).现在,一个 API 调用会创建一个预签名 URL 并将 HTTP 重定向返回到文件服务器(预签名 URL)。
The problem is that Swagger UI sends the authorization header with the JWT token to the file server (MinIO).问题在于 Swagger UI 将带有 JWT 令牌的授权标头发送到文件服务器 (MinIO)。 This causes the file server receiving two different authentication mechanisms and responds with invalid request.这会导致文件服务器接收两种不同的身份验证机制并以无效请求进行响应。
Is there a way to influence how Swagger UI treats redirects or to not send the token on redirects?有没有办法影响 Swagger UI 如何处理重定向或不在重定向时发送令牌?
I too came across this problem and realized that when fetch
redirects to the presigned S3 URL you can't prevent it from sending the Authorization headers from your API.我也遇到了这个问题,并意识到当fetch
重定向到预先签名的 S3 URL 时,您无法阻止它从您的 API 发送授权标头。
Eventually I have able to get this working by using the responseInterceptor
configuration argument for Swagger with a custom function that detects the bad request (400) response from S3 and then re-issues the fetch
request with credentials: 'omit'
.最终,我能够通过使用 Swagger 的responseInterceptor
配置参数和一个自定义函数来实现这一点,该函数检测来自 S3 的错误请求 (400) 响应,然后使用credentials: 'omit'
重新发出fetch
请求credentials: 'omit'
。
Here is my custom response interceptor for Swagger:这是我的 Swagger 自定义响应拦截器:
// swagger-ui-extensions.js
function serializeHeaderValue(value) {
const isMulti = value.includes(', ');
return isMulti ? value.split(', ') : value;
}
function serializeHeaders(headers = {}) {
return Array.from(headers.entries()).reduce((acc, [header, value]) => {
acc[header] = serializeHeaderValue(value);
return acc;
}, {});
}
function myResponseInterceptor(response) {
// NOTE: Additional checks should probably be added whether to re-issue the fetch. This was just an initial starting point.
if (response.ok === false && response.status === 400 && response.headers['server'] === 'AmazonS3') {
// Here is the important part, re-issue fetch but don't allow our Authentication header to flow
response = fetch(response.url, { credentials: 'omit' })
.then(nativeResponse => {
// We can't return the native response because Swagger UI attempts to assign the header property (and potentially other properties
// too) on the response. So return a serialized clone of the native response. FYI, this is the same exact logic from Swagger's fake
// implementation of fetch.
const getBody = nativeResponse.blob || nativeResponse.buffer;
return getBody.call(nativeResponse).then(body => {
return {
ok: nativeResponse.ok,
url: nativeResponse.url,
status: nativeResponse.status,
statusText: nativeResponse.statusText,
headers: serializeHeaders(nativeResponse.headers),
data: body
};
});
});
}
return response;
}
Then I had to specify my custom myResponseInterceptor
when initializing the Swagger UI in index.html
然后我必须在index.html
初始化 Swagger UI 时指定我的自定义myResponseInterceptor
// (other code omitted for brevity...)
// Make sure to include your custom JS in the page
// <script src="./swagger-ui-extensions.js"></script>
// Specifying the custom responseInterceptor here...
configObject.responseInterceptor = myResponseInterceptor;
// Begin Swagger UI call region
const ui = SwaggerUIBundle(configObject);
ui.initOAuth(oauthConfigObject);
// End Swagger UI call region
window.ui = ui;
I was using ASP.NET Core and used these instructions to provide my own index.html
for Swagger UI: https://github.com/domaindrivendev/Swashbuckle.AspNetCore#customize-indexhtml我正在使用 ASP.NET Core 并使用这些说明为 Swagger UI 提供我自己的index.html
: https : //github.com/domaindrivendev/Swashbuckle.AspNetCore#customize-indexhtml
After all that, this surprisingly worked and I was able to see the redirected response from S3 in Swagger.毕竟,这出人意料地有效,我能够在 Swagger 中看到来自 S3 的重定向响应。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.