swagger-api/swagger-ui

Authorize button: logout is not clearing credentials

Open

#6,049 创建于 2020年6月2日

在 GitHub 查看
 (5 评论) (8 反应) (0 负责人)JavaScript (8,801 fork)batch import
Hacktoberfesttype: bug

仓库指标

Star
 (25,447 star)
PR 合并指标
 (平均合并 20小时 34分钟) (30 天内合并 14 个 PR)

描述

Q&A (please complete the following information)

  • OS: [Mint]
  • Browser: [chrome]
  • Version: [80]
  • Method of installation: [e.g. npm, dist assets]
  • Swagger-UI version: [3.25.1]
  • Swagger/OpenAPI version: [Springdoc-openapi: 1.3.9]

Content & configuration

@Bean
    public OpenAPI customOpenAPI() {
        return new OpenApi()
                .components(new Components().addSecuritySchemes("basicScheme",
                        new SecurityScheme().type(SecurityScheme.Type.HTTP).scheme("basic")))
                .addSecurityItem(new SecurityRequirement().addList("basicScheme",
                        Collections.singletonList("basic")));
    }

Example Swagger/OpenAPI definition:

springdoc:
  endpoint: "/swagger"
  pathsToMatch: /v1/**
  api-docs:
    enabled: true
    path: ${springdoc.endpoint}/v3/api-docs
  swagger-ui:
    path: ${springdoc.endpoint}/swagger-ui.html
  cache:
    disabled: true

Describe the bug you're encountering

During the logout from Authorize button, I see that "curl" doesn't contain the header with Authorize, but it seems credentials still exist in session.

To reproduce...

Steps to reproduce the behavior: The scenario for basic auth:

  1. Call secured endpoint from swagger-ui list and got proper unauthorized information.
  2. Click Authorize button
  3. Set login and password
  4. Call secured endpoint and got the proper result from swagger-ui list
  5. Click Authorize button
  6. Click Logout button
  7. Call the same endpoint from points 1 and 4, but there should be information like unauthorized, but still got the proper result expected only for logged user.

Note:

  • I have tried to set at point 7 the same username but wrong password - still didn't get unauthorized information.
  • When set another wrong username at point 7 finally got proper unauthorized information.

贡献者指南