swagger-api/swagger-ui

Authorize button: logout is not clearing credentials

Open

#6049 aperta il 2 giu 2020

Vedi su GitHub
 (5 commenti) (8 reazioni) (0 assegnatari)JavaScript (8801 fork)batch import
Hacktoberfesttype: bug

Metriche repository

Star
 (25.447 star)
Metriche merge PR
 (Merge medio 20h 34m) (14 PR mergiate in 30 g)

Descrizione

Q&A (please complete the following information)

  • OS: [Mint]
  • Browser: [chrome]
  • Version: [80]
  • Method of installation: [e.g. npm, dist assets]
  • Swagger-UI version: [3.25.1]
  • Swagger/OpenAPI version: [Springdoc-openapi: 1.3.9]

Content & configuration

@Bean
    public OpenAPI customOpenAPI() {
        return new OpenApi()
                .components(new Components().addSecuritySchemes("basicScheme",
                        new SecurityScheme().type(SecurityScheme.Type.HTTP).scheme("basic")))
                .addSecurityItem(new SecurityRequirement().addList("basicScheme",
                        Collections.singletonList("basic")));
    }

Example Swagger/OpenAPI definition:

springdoc:
  endpoint: "/swagger"
  pathsToMatch: /v1/**
  api-docs:
    enabled: true
    path: ${springdoc.endpoint}/v3/api-docs
  swagger-ui:
    path: ${springdoc.endpoint}/swagger-ui.html
  cache:
    disabled: true

Describe the bug you're encountering

During the logout from Authorize button, I see that "curl" doesn't contain the header with Authorize, but it seems credentials still exist in session.

To reproduce...

Steps to reproduce the behavior: The scenario for basic auth:

  1. Call secured endpoint from swagger-ui list and got proper unauthorized information.
  2. Click Authorize button
  3. Set login and password
  4. Call secured endpoint and got the proper result from swagger-ui list
  5. Click Authorize button
  6. Click Logout button
  7. Call the same endpoint from points 1 and 4, but there should be information like unauthorized, but still got the proper result expected only for logged user.

Note:

  • I have tried to set at point 7 the same username but wrong password - still didn't get unauthorized information.
  • When set another wrong username at point 7 finally got proper unauthorized information.

Guida contributor