swagger-api/swagger-ui

Authorize button: logout is not clearing credentials

Open

#6 049 ouverte le 2 juin 2020

Voir sur GitHub
 (5 commentaires) (8 réactions) (0 assignés)JavaScript (8 801 forks)batch import
Hacktoberfesttype: bug

Métriques du dépôt

Stars
 (25 447 stars)
Métriques de merge PR
 (Merge moyen 20h 34m) (14 PRs mergées en 30 j)

Description

Q&A (please complete the following information)

  • OS: [Mint]
  • Browser: [chrome]
  • Version: [80]
  • Method of installation: [e.g. npm, dist assets]
  • Swagger-UI version: [3.25.1]
  • Swagger/OpenAPI version: [Springdoc-openapi: 1.3.9]

Content & configuration

@Bean
    public OpenAPI customOpenAPI() {
        return new OpenApi()
                .components(new Components().addSecuritySchemes("basicScheme",
                        new SecurityScheme().type(SecurityScheme.Type.HTTP).scheme("basic")))
                .addSecurityItem(new SecurityRequirement().addList("basicScheme",
                        Collections.singletonList("basic")));
    }

Example Swagger/OpenAPI definition:

springdoc:
  endpoint: "/swagger"
  pathsToMatch: /v1/**
  api-docs:
    enabled: true
    path: ${springdoc.endpoint}/v3/api-docs
  swagger-ui:
    path: ${springdoc.endpoint}/swagger-ui.html
  cache:
    disabled: true

Describe the bug you're encountering

During the logout from Authorize button, I see that "curl" doesn't contain the header with Authorize, but it seems credentials still exist in session.

To reproduce...

Steps to reproduce the behavior: The scenario for basic auth:

  1. Call secured endpoint from swagger-ui list and got proper unauthorized information.
  2. Click Authorize button
  3. Set login and password
  4. Call secured endpoint and got the proper result from swagger-ui list
  5. Click Authorize button
  6. Click Logout button
  7. Call the same endpoint from points 1 and 4, but there should be information like unauthorized, but still got the proper result expected only for logged user.

Note:

  • I have tried to set at point 7 the same username but wrong password - still didn't get unauthorized information.
  • When set another wrong username at point 7 finally got proper unauthorized information.

Guide contributeur