Add Authorize Attribute Filter in Swashbuckler Implementation of Swagger

Question

Looking to add the AuthorizeFilterAttribute or AnonymousFilterAttribute to an endpoint in Swashbuckle's implementation of Swagger so I can see which attribute is used on each endpoint in the generated documentation file in a running webapi that ends in /swagger. Is this currenlty possible?

I specifically would like to add a big bold label that says this endpoint is [Anonymous] or that endpoint is using [Authorize] and have them look differently that the summary or remark text.

Also I would like to be able to filter out all the different types of these restriction filter attributes for each endpoint including [NonAction], [Authorize], and [Anonymous] where one of these might be at the top of each controller endpoint. Maybe even eventually add other types of FilterAttributes besides these on each endpoint.

Currently it looks like only the HTTP Methods, the request and response objects can be retrieved in the current implementation so I was not able to find definitive information on this.

Since this is a Swagger implementation do these .NET specific attribute filters not translate to Swashbuckle b/c they only implement what's in the Swagger specification and nothing else?

Finally are their .NET specific extensions to Swashbuckle's implementation that do this?

Thanks!

Answer 1

For the part adding the label to unprotected methods/actions you could use an operation filter like this

  public class UnprotectedOperationFilter : IOperationFilter
  {

    private bool HasAttribute(MethodInfo methodInfo, Type type, bool inherit)
    {
      // inhertit = true also checks inherited attributes
      var actionAttributes = methodInfo.GetCustomAttributes(inherit);
      var controllerAttributes = methodInfo.DeclaringType.GetTypeInfo().GetCustomAttributes(inherit);
      var actionAndControllerAttributes = actionAttributes.Union(controllerAttributes);

      return actionAndControllerAttributes.Any(attr => attr.GetType() == type);
    }

    public void Apply(Operation operation, OperationFilterContext context)
    {

      bool hasAuthorizeAttribute = HasAttribute(context.MethodInfo, typeof(AuthorizeAttribute), true);
      bool hasAnonymousAttribute = HasAttribute(context.MethodInfo, typeof(AllowAnonymousAttribute), true);

      // so far as I understood the action/operation is public/unprotected 
      // if there is no authorize or an allow anonymous (allow anonymous overrides all authorize)
      bool isAuthorized = hasAuthorizeAttribute && !hasAnonymousAttribute;

      if (!isAuthorized)
      {
        operation.Description = 
          "<p><bold>BIG BOLD LABEL indicating an UPROTECTED PUBLIC method</bold></p>" 
          + operation.Description;
      }

    }
  }

and add it with

services.AddSwaggerGen(c => { c.OperationFilter<UnprotectedOperationFilter>();} );

I didn't understand what you mean with filter out different attributes but I hope the code above helps you to check if the attribute is present and do what you desire to do.