feat: secure swagger endpoint

Signed-off-by: Pranav C <pranavxc@gmail.com>
2 years ago · 0e8fae87ab
3 changed files with 26 additions and 2 deletions
--- a/packages/nocodb/src/lib/meta/api/swagger/swaggerApis.ts
+++ b/packages/nocodb/src/lib/meta/api/swagger/swaggerApis.ts
@ -2,6 +2,7 @@
 import catchError, { NcError } from '../../helpers/catchError';
 import { Router } from 'express';
 import Model from '../../../models/Model';
+import ncMetaAclMw from '../../helpers/ncMetaAclMw'
 import getSwaggerJSON from './helpers/getSwaggerJSON';
 import Project from '../../../models/Project';
 import swaggerHtml from './swaggerHtml';
@ -42,7 +43,7 @@ const router = Router({ mergeParams: true });
 // todo: auth
 router.get(
  '/api/v1/db/meta/projects/:projectId/swagger.json',
-  catchError(swaggerJson)
+  ncMetaAclMw(swaggerJson, 'swaggerJson')
 );
 router.get('/api/v1/db/meta/projects/:projectId/swagger', (_req, res) =>
  res.send(swaggerHtml)
--- a/packages/nocodb/src/lib/meta/api/swagger/swaggerHtml.ts
+++ b/packages/nocodb/src/lib/meta/api/swagger/swaggerHtml.ts
@ -12,14 +12,34 @@ export default `<!DOCTYPE html>
 </div>

 <script>
+
+let initialLocalStorage = {}
+
+try {
+  initialLocalStorage = JSON.parse(localStorage.getItem('nocodb-gui-v2') || '{}');
+} catch (e) {
+  console.error('Failed to parse local storage', e);
+}
+
+var xmlhttp = new XMLHttpRequest();   // new HttpRequest instance 
+xmlhttp.open("GET", "./swagger.json");
+xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
+xmlhttp.setRequestHeader("xc-auth", initialLocalStorage && initialLocalStorage.token);
+xmlhttp.onload = function () {
+
  const ui = SwaggerUIBundle({
-    url: "./swagger.json",
+    // url: ,
+    spec: JSON.parse(xmlhttp.responseText),
    dom_id: '#app',
    presets: [
      SwaggerUIBundle.presets.apis,
      SwaggerUIBundle.SwaggerUIStandalonePreset
    ],
  })
+}
+xmlhttp.send();
+
+  
  console.log('%c🚀 We are Hiring!!! 🚀%c\\n%cJoin the forces http://careers.nocodb.com', 'color:#1348ba;font-size:3rem;padding:20px;', 'display:none', 'font-size:1.5rem;padding:20px');
    const linkEl = document.createElement('a')
  linkEl.setAttribute('href', "http://careers.nocodb.com")
--- a/packages/nocodb/src/lib/utils/projectAcl.ts
+++ b/packages/nocodb/src/lib/utils/projectAcl.ts
@ -155,6 +155,7 @@ export default {
      dataCount: true,
      upload: true,
      uploadViaURL: true,
+      swaggerJson:true
    },
  },
  commenter: {
@ -214,6 +215,7 @@ export default {
      xcAuditModelCommentsCount: true,
      xcExportAsCsv: true,
      dataCount: true,
+      swaggerJson:true
    },
  },
  viewer: {
@ -269,6 +271,7 @@ export default {
      list: true,
      xcExportAsCsv: true,
      dataCount: true,
+      swaggerJson:true
    },
  },
  user_new: {