You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
My application has many endpoints, but only a subselection is available as public endpoints for users.
I have set the endpoint to springdoc.api-docs.path=/api/docs
I have configured this subselection into a group/definition using a GroupedOpenApi bean, and appears in swagger-ui as different definition. Here, a link to /api/docs/subselection is available (can be any subselection name).
However, the /api/docs endpoint is also available, and contains ALL endpoints.
This is a security problem, as the end-users now see all internal endpoints. I have them disabled via the reverse-proxy, but I am showing more internal information that I would like to (e.g. debug endpoints).
Also, for me this is unexpected behavior: I define groups to restrict what is visible in swagger-ui, I expect this restriction to also apply to the OpenAPI definition, but apparently it does not. Or, if the ALL definition is available, then I expect swagger-ui to show that ALL definition as well, which it does not.
Describe the solution you'd like
I would like to disable the /api/docs endpoint, making it return 404, but not the /api/docs/subselection, so that for only the defined groups the OpenAPI definition is generated.
Making it configurable via a property (e.g. springdoc.api-docs.somethingetc=false) would be ideal, as I can then switch it on/off between profiles.
I do not currently need this, as I understand the situation, but for new developers this might help with the unexpected part: Consider showing the ALL definition in swagger-ui if the endpoint is enabled, or disable the ALL definition by default if groups are defined. I do not know how OpenAPI and swagger-ui are expected to work together, but this mismatch caught me by surprise, resulting in me leaking internal endpoints.
Describe alternatives you've considered
Alternative is to deny access to the the /api/docs using Spring Security, but that is ugly due to it still asking for authentication.
Alternative is disabling the endpoint in a reverse proxy, but that is outside of the application's control.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
My application has many endpoints, but only a subselection is available as public endpoints for users.
I have set the endpoint to
springdoc.api-docs.path=/api/docsI have configured this subselection into a group/definition using a
GroupedOpenApibean, and appears in swagger-ui as different definition. Here, a link to/api/docs/subselectionis available (can be anysubselectionname).However, the
/api/docsendpoint is also available, and contains ALL endpoints.This is a security problem, as the end-users now see all internal endpoints. I have them disabled via the reverse-proxy, but I am showing more internal information that I would like to (e.g. debug endpoints).
Also, for me this is unexpected behavior: I define groups to restrict what is visible in swagger-ui, I expect this restriction to also apply to the OpenAPI definition, but apparently it does not. Or, if the ALL definition is available, then I expect swagger-ui to show that ALL definition as well, which it does not.
Describe the solution you'd like
I would like to disable the
/api/docsendpoint, making it return 404, but not the/api/docs/subselection, so that for only the defined groups the OpenAPI definition is generated.Making it configurable via a property (e.g.
springdoc.api-docs.somethingetc=false) would be ideal, as I can then switch it on/off between profiles.I do not currently need this, as I understand the situation, but for new developers this might help with the unexpected part: Consider showing the ALL definition in swagger-ui if the endpoint is enabled, or disable the ALL definition by default if groups are defined. I do not know how OpenAPI and swagger-ui are expected to work together, but this mismatch caught me by surprise, resulting in me leaking internal endpoints.
Describe alternatives you've considered
Alternative is to deny access to the the /api/docs using Spring Security, but that is ugly due to it still asking for authentication.
Alternative is disabling the endpoint in a reverse proxy, but that is outside of the application's control.
The text was updated successfully, but these errors were encountered: