When using Try It Out with Open API 3, multiple cookie apiKeys are separated with & not ; as required by curl

[absurdist]

When multiple API keys are specified in the security object, Try it Out separates the name value pairs with an ampersand. Curl expects a semi colon and the request will fail

_I'm attempting to locate the source of the error, am new to react and the code base, any guidance would be appreciated.
looks like the problem will be in the creation of the request headers prior to calling the curl formatting function in swagger-ui/src/core/curlify.js

But I'm still at the stage of fumbling around trying to orient myself in the code._

Q	A
Bug or feature request?	BUG
Which Swagger/OpenAPI version?	3
Which Swagger-UI version?	"version":"3.9.3"
How did you install Swagger-UI?	git clone, npm run-script build, ws
Which browser & version?	Version 64.0.3282.140
Which operating system?	windows 7

Demonstration API definition

openapi: 3.0.5
info:
  title: test api
  description: test api
  version: 1.0.0

paths:
  /tests:
    get:
      description: "test use of two api keys in cookie"
      operationId: testGet
      tags:
      - test

      responses:
        '200':
          description: test
          content:
            # application/json:
            #   schema:{}
            #     {
            #       "title": "test-response",
            #       "type": "object",
            #       "properties": {
            #           "value": "integer"
            #       }
            #   }



components:
  securitySchemes:
    keyA:
      type: apiKey
      in: cookie
      name: key-a

    keyB:
      type: apiKey
      in: cookie
      name: keyB

security:
  - keyA: []
    keyB: []

servers:
  - url: 'http://localhost'
    description: localhost

Expected Behavior

Try it out should create a call like this:

    curl -X GET "http://localhost/tests" -H "accept: */*" -H "Cookie: key-a=a; keyB=b"

or

    curl -X GET "http://localhost/tests" -H "accept: */*" -b "key-a=a; keyB=b"

see:
http://www.mit.edu/afs.new/sipb/user/ssen/src/curl-7.11.1/docs/curl.html

Current Behavior

Try it out produces this:

    curl -X GET "http://localhost/tests" -H "accept: */*" -H "Cookie: key-a=a&keyB=b"

Context

This issue is preventing me from using swagger to demonstrate a new API over a system with a legacy security model that requires multiple cookie values to be passed

[sologub-s]

I have the same issue.

[Raptor399]

There is a second issue at play here: the apiKey values are being UriEncoded, but they shouldn't be. Granted, it's vague what characters cookies allow, but I see cookie values unescaped in in the request the latest version of Chrome, so I'm guessing that is the standard.

For example:

curl -X GET "http://localhost/tests" -H "accept: */*" -H "Cookie: key-a=a%2Ba&keyB=b%2Fb"

should be:

curl -X GET "http://localhost/tests" -H "accept: */*" -H "Cookie: key-a=a+a; keyB=b/b"

Please take this into account when fixing this bug.

[Raptor399]

Update: judging by the reaction to #OAI/OpenAPI-Specification#1676, apiKey values in the cookie are wrongly being UriEncoded by swagger-ui. From the issue:

Currently we don't limit the characters allowed in security parameters

This means there is no reason to UriEncode apiKey parameter values in the cookie according to the spec, so please don't encode them in swagger-ui (as is currently the case).

[shockey]

Catching up here - are we all talking about the cURL output, or is this being observed in the requests Swagger UI itself is sending out as well?

[Raptor399]

@shockey I observed UriEncoded apiKey cookie values in Swagger UI in Chrome at first. Calls would not work in the browser, so I copied the curl command to a terminal for further testing. There I discovered that undoing UriEncoding of the apiKey cookie values made things work as expected.

[amitbaraik]

Hello All,

do anyone know how to fix this? My problem is same as absurdist

[t1bb4r]

Anyone have a workaround? Issue has been open for over a year. How are you using cookies?

[t1bb4r]

Maybe to clarify the title, it is not required by curl it is required by http (all http web servers), https://tools.ietf.org/html/rfc6265#section-5.4
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cookie
"A list of name-value pairs in the form of <cookie-name>=<cookie-value>. Pairs in the list are separated by a semicolon and a space ('; ')."

[t1bb4r]

Sorry I'm stupid, my cookies were not being set due to an unrelated issue. I thought this was the reason, but I see now that this is indeed just an issue with how curl is formatted and not an issue with the functionality of cookies.

[aantillonl]

Also having this issue. As a workaround, and pretty ugly one, you could instead defining a Security Scheme with in: cookie for the API Key, define it as a Parameter for your operation as follows:

get:
    summary: Test endpoint
    parameters:
        - name: authCookie
          schema:
            type: object
            properties:
              cookie1:
                type: string
              cookie2:
                type: string                  
          in: cookie
          explode: true
          style: matrix

This would generate a curl command with the header Cookie= ;cookie1=value;cookie2=value which at least for me worked from the terminal. Note that the cookie values are not formatted when you use this method(i.e. symbols like "+" and "/', are inserted unencoded)

The disadvantage is that you need to define this params for every route. Also the cookie values are defined as json in a text area from the UI instead of the nicer form available for Security Schemes.

[till213]

To add that I just stumbled over this same problem: we use "XML formatted cookies" (SAML assertions). For the given request the developer tool "Postman" generates the following command:

curl --location --request POST 'http://example.com:/my/service/' \
--header 'Content-Type: application/json' \
--header 'Cookie: SAML_ASSERTION="<saml2:Assertion xmlns:saml2=' ... </saml2:Assertion>"' \ ...

However when selecting "Try it out" in SwaggerUI (within Visual Studio Code, in case that matters) the generated curl command is like:

curl -X POST "http://example.com:/my/service/" -H "accept: application/json" -H "Content-Type: application/json" -H "Cookie: SAML_ASSERTION=%3Csaml2%3AAssertion%20xmlns%3Asaml2%3D'urn ... sertion%3E" -d ...

In other words: the "XML cookie" gets "URI encoded".

Would be nice if this issue would be fixed ;) +1 from me anyway...

[bam-bz]

This looks like the location where the ampersand separator is added:
https://github.com/swagger-api/swagger-js/blob/84bff85dec3a4a7e70db3fc7fbe67154c51418bf/src/execute/index.js#L292

I'm not familiar enough with swagger to know whether replacing & with ; on that line would break any valid use cases.

Related issue in the swagger-js repo: swagger-api/swagger-js#2358