How to conditionally disable authentication component?

[olivierauverlot]

Hi,

I'm developing a RESTful API using SQLPage and have created a Swagger file to document the API.

I'm experiencing an issue with two services that use HTTP Basic Authentication to restrict access. These services employ an authentication component.

When Swagger UI attempts to test the service, it first sends an OPTIONS request followed by a GET request. Since the service is password-protected and Swagger UI does not transmit credentials with the OPTIONS verb, the service returns a 401 error code.

How can I disable authentication specifically for OPTIONS requests?

Best regards
Olivier

[anntnzrb]

Use sqlpage.request_method() in a WHERE clause to conditionally disable auth:

SELECT 'authentication' AS component,
       'your_password_hash' AS password_hash,
       :password AS password
WHERE sqlpage.request_method() != 'OPTIONS';

This allows OPTIONS requests (CORS preflight) to pass through unauthenticated while maintaining security for GET/POST requests.

[olivierauverlot]

Yes, this solution works, but in my specific scenario, I also require the user's login credentials.

SELECT 'authentication' AS component,
    case sqlpage.basic_auth_username()
        when 'admin'
            then '$argon2i$v=19$m=8,t=1,p=1$YWFhYWFhYWE$oKBq5E8XFTHO2w' 
        when 'user'
            then '$argon2i$v=19$m=8,t=1,p=1$YWFhYWFhYWE$qsrWdjgl96ooYw' 
    end AS password_hash, 
    sqlpage.basic_auth_password() AS password
WHERE sqlpage.request_method() != 'OPTIONS';

In this scenario, I receive a 401 Unauthorized error because the sqlpage.basic_auth_name() function returns no value.

[lovasoa]

You most likely do not want to disable authentication.

The request you are mentioning is probably a cors preflight:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS#specifications
• https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request

[lovasoa]

@olivierauverlot The easiest fix is to host the swagger ui on the same domain as the api itself

[olivierauverlot]

I am testing the Swagger file on my computer using localhost, and SQLPage is also running on my computer. They are using two different TCP ports, but this seems to be enough for Swagger UI to consider that it needs to use CORS.

[lovasoa]

Yes, different ports are different origins. Your problem is not in swagger ui, any JavaScript code running from a different origin will have the browser trigger a preflight request before a non-GET request to your api.

The easiest is to serve your static swagger ui directly from SQLPage

[lovasoa]

You should be able to just put a documentation.html file along your .json file, served directly by sqlpage, and use it to render the ui

https://github.com/swagger-api/swagger-ui/blob/HEAD/docs/usage/installation.md#unpkg

[olivierauverlot]

Thank you for your responses, which helped me integrate an OpenAPI document into my project.

I created a small shell-swagger-ui component to ensure a clean implementation. It is a simple HTML page that loads the Swagger-UI code via the unpkg CDN.

<!DOCTYPE html>
<html{{#if language}} lang="{{language}}{{/if}}">
  <head>
    <meta charset="{{default charset "utf-8"}}" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <meta name="description" content="SwaggerUI" />
    <title>{{default title "Swagger UI"}}</title>
    <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@{{default version "5.11.0"}}/swagger-ui.css" />
  </head>
  <body>
  <div id="swagger-ui"></div>
    <script nonce="{{@csp_nonce}}" src="https://unpkg.com/swagger-ui-dist@{{default version "5.11.0"}}/swagger-ui-bundle.js" crossorigin></script>
    <script nonce="{{@csp_nonce}}">
      window.onload = () => {
        window.ui = SwaggerUIBundle({
          url: '{{documentation}}',
          dom_id: '#swagger-ui',
        });
      };
    </script>  
  </body>
</html>

The endpoint /api/v2/openapi.sql for accessing the documentation is simply a component with a few parameters, such as the page title and the path to the OpenAPI file formatted in YAML.

SELECT
    'shell-swagger-ui'                  AS component,
    'Swagger Demo'                     AS title,
    'fr'                                AS language,
    'utf-8'                             AS charset,
    'swagger/openapi.yaml'               AS documentation,
    '5.11.0'                            AS version;

@lovasoa I'm not sure if this type of component would be beneficial to add to the standard components of SQLPage. It doesn't seem to have general applicability. What are your thoughts on this?

Best regards
Olivier

[lovasoa]

Indeed, I don't think we should upstream this before we have more support for building APIs