Adding API Key doesn't appear to do anything

[sunnyrjuneja]

Hi,

My initializer looks something like this:

GrapeSwaggerRails.options.tap do |o|
  # other details omitted
  o.before_filter do |request|
    authenticate_with_http_basic do |user, pass|
      user == ENV['basic_auth_username'] && password == ENV['basic_auth_password']
    end
  end
  o.api_auth     = 'bearer'
  o.api_key_name = 'Authorization'
  o.api_key_type = 'header'
end

When I fill in my API key and try to explore the API, my API returns that I'm not authenticated. Chrome headers show my response looks like this:

Remote Address:127.0.0.1:3000
Request URL:http://api.rails-app.dev:3000/users/me
Request Method:GET
Status Code:401 Unauthorized
Request Headersview source
Accept:application/json
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Type:application/json
Cookie:_Swyp_session=eUJVWkFkVDBsY0JUM2lsUlJmK1l3ekZSZkYzWkJob0RtdnZCeS9WVnRzMzYrSWZWY3IrRHk3OG5CWGRoblE1eWdCaEJSZEtQYU8rSk1yci9CLzJsZEFGQWNLYVBia01mbXNBeGViZkxkbWlhc3pDVXg5K0FFa2lJbzFMVTAvTlZKbVNOcmwzLzBwNHJaVVJUT2U0eVZRPT0tLWMwYkZDRVZjT3I0VjYwdzVXY05CakE9PQ%3D%3D--ce1311b8a602a03f272492ae3cdd2b9576bacced
Host:api.rails-app.dev:3000
Referer:http://api.rails-app.dev:3000/swagger
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/39.0.2171.65 Chrome/39.0.2171.65 Safari/537.36

The swaggerApi object doesn't appear to be including any authorization handlers either.

SwaggerApi {url: "http://api.rails-app.dev:3000/swagger_doc", debug: false, basePath: "http://api.rails-app.dev:3000/swagger_doc", authorizations: null, authorizationScheme: null…}

My Gemfile.lock looks like this:

    grape (0.10.1)
      activesupport
      builder
      hashie (>= 2.1.0)
      multi_json (>= 1.3.2)
      multi_xml (>= 0.5.2)
      rack (>= 1.3.0)
      rack-accept
      rack-mount
      virtus (>= 1.0.0)
    grape-entity (0.4.5)
      activesupport
      multi_json (>= 1.3.2)
    grape-swagger (0.10.1)
      grape (>= 0.8.0)
      grape-entity
    grape-swagger-rails (0.1.0)
      grape-swagger (>= 0.7.2)
      railties (>= 3.2.12)

I looked around in the code to try to debug this myself but I couldn't quite figure out where the options were being read.

[dblock]

Do you have your own template? Look at https://github.com/TinkerDev/grape-swagger-rails/blob/master/app/views/grape_swagger_rails/application/index.html.erb#L2.

[osuthorpe]

I am having this same issue and I am not using a custom template

[Ninigi]

Any news on this?

[dblock]

@osuthorpe @Ninigi Do you have a project in which this is reproduced that we can see?

[sunnyrjuneja]

@dblock I do not. I'm creating a project to reproduce this now.

[Ninigi]

@dblock there is a project, but I do not own it, so I don't know if I can show you. However, after looking at your javascript I realised it was mainly my bad.

The handler for adding the api key to the requests is bound to a $.change listener, which is of course only triggered if I actually CHANGE the field after a reload (most browsers will fill it with the last value, which will not trigger the change event)...

I had it running for a while and then did something, I am still not sure what, to break it again, but again I think it's my own fault :)

[dblock]

I'll wait to hear from @whatasunnyday.

[sunnyrjuneja]

@dblock Please let me know if there's anything else I can do to clarify the problem.

https://github.com/whatasunnyday/gsr-api-key

[dblock]

This took me a while.

The header auth information is properly added by the UI where it should be.

However, Swagger-UI doesn't use it. As soon as the endpoint has authorizations: oauth2, it overrides any authorizations set.

I didn't dig through the code, it could be as simple as a key/name conflict or maybe this is by design? Maybe you can try and take it from here?

[dblock]

I think this should be reproducible with a test here now (get an endpoint in spec/dummy to return authorizations: oauth2. Then add a spec in spec/features/swagger_spec.rb. That alone would be useful.

Then, I have updated https://github.com/TinkerDev/grape-swagger-rails to the latest https://github.com/swagger-api/swagger-ui. To debug this I substitute swagger-ui.min.js by swagger-ui.js from https://github.com/swagger-api/swagger-ui.

[sunnyrjuneja]

@dblock thank you very much for putting time into this. i'm not entirely sure where the fix would live. do you think is this an issue with grape-swagger-rails, grape-swagger or wine_bouncer?

[sunnyrjuneja]

also, i'm happy to take this on now that you've helped me find the bug. thanks again.

[dblock]

I think this is a bug with swagger-ui, but it will be much easier to reproduce here, that's what you should do IMO first.