fix(swagger): resolve petstore fallback caused by CSP and static file routing

nanotaboada · Copilot · nanotaboada · commit dd00ba698a0d · 2026-03-08T13:10:39.000-03:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/src/app.ts b/src/app.ts
@@ -66,10 +66,12 @@ app.use(bodyParser.json());
 app.use(rateLimiter.generalLimiter);
 
 // Swagger UI Express - https://github.com/scottie1984/swagger-ui-express
-app.use('/swagger', swaggerMiddleware, swaggerUi.serve, swaggerUi.setup(swaggerSpec, swaggerUiOptions));
+// Redirect /swagger/index.html BEFORE swaggerUi.serve, otherwise the static file
+// middleware serves swagger-ui-dist's own index.html (which hardcodes the petstore URL).
 app.get('/swagger/index.html', (_, response) => {
     response.redirect(301, '/swagger');
 });
+app.use('/swagger', swaggerMiddleware, swaggerUi.serve, swaggerUi.setup(undefined, swaggerUiOptions));
 app.get('/swagger.json', (_, response) => {
     response.setHeader('Content-Type', 'application/json');
     response.send(swaggerSpec);
diff --git a/src/docs/swagger.ts b/src/docs/swagger.ts
@@ -111,6 +111,10 @@ const validatedSwaggerSpecJSON = swaggerJSDoc(swaggerJSDocOptions);
 // Swagger UI Configuration
 const customSwaggerUiOptions: SwaggerUiOptions = {
     customSiteTitle: '🧪 RESTful API with Node.js and Express.js in TypeScript',
+    // swaggerUrl overrides the window.location.origin fallback in swagger-ui-init.js;
+    // without it, swagger-ui v5 uses the origin URL (which returns HTML, not JSON)
+    // when both spec and url are present, causing the petstore fallback.
+    swaggerUrl: '/swagger.json',
     swaggerOptions: {
         validatorUrl: null, // Disable external validator
         defaultModelsExpandDepth: -1, // Hide schemas by default
diff --git a/src/middlewares/swagger-middleware.ts b/src/middlewares/swagger-middleware.ts
@@ -5,6 +5,8 @@ const SWAGGER_CSP = [
     "script-src 'self' 'unsafe-inline' cdnjs.cloudflare.com", // Allow Swagger's JS
     "style-src 'self' 'unsafe-inline'", // Required for Swagger UI styles
     "img-src 'self' data:", // Allow embedded image data
+    "connect-src 'self'", // Allow Swagger UI to fetch the spec from the same origin
+    "worker-src blob: 'self'", // Allow Swagger UI v5 to spin up its spec-parsing web worker
 ].join('; ');
 
 /**
