Browse Source

feat: secure swagger endpoint

Signed-off-by: Pranav C <pranavxc@gmail.com>
pull/4395/head
Pranav C 2 years ago
parent
commit
0e8fae87ab
  1. 3
      packages/nocodb/src/lib/meta/api/swagger/swaggerApis.ts
  2. 22
      packages/nocodb/src/lib/meta/api/swagger/swaggerHtml.ts
  3. 3
      packages/nocodb/src/lib/utils/projectAcl.ts

3
packages/nocodb/src/lib/meta/api/swagger/swaggerApis.ts

@ -2,6 +2,7 @@
import catchError, { NcError } from '../../helpers/catchError'; import catchError, { NcError } from '../../helpers/catchError';
import { Router } from 'express'; import { Router } from 'express';
import Model from '../../../models/Model'; import Model from '../../../models/Model';
import ncMetaAclMw from '../../helpers/ncMetaAclMw'
import getSwaggerJSON from './helpers/getSwaggerJSON'; import getSwaggerJSON from './helpers/getSwaggerJSON';
import Project from '../../../models/Project'; import Project from '../../../models/Project';
import swaggerHtml from './swaggerHtml'; import swaggerHtml from './swaggerHtml';
@ -42,7 +43,7 @@ const router = Router({ mergeParams: true });
// todo: auth // todo: auth
router.get( router.get(
'/api/v1/db/meta/projects/:projectId/swagger.json', '/api/v1/db/meta/projects/:projectId/swagger.json',
catchError(swaggerJson) ncMetaAclMw(swaggerJson, 'swaggerJson')
); );
router.get('/api/v1/db/meta/projects/:projectId/swagger', (_req, res) => router.get('/api/v1/db/meta/projects/:projectId/swagger', (_req, res) =>
res.send(swaggerHtml) res.send(swaggerHtml)

22
packages/nocodb/src/lib/meta/api/swagger/swaggerHtml.ts

@ -12,14 +12,34 @@ export default `<!DOCTYPE html>
</div> </div>
<script> <script>
let initialLocalStorage = {}
try {
initialLocalStorage = JSON.parse(localStorage.getItem('nocodb-gui-v2') || '{}');
} catch (e) {
console.error('Failed to parse local storage', e);
}
var xmlhttp = new XMLHttpRequest(); // new HttpRequest instance
xmlhttp.open("GET", "./swagger.json");
xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
xmlhttp.setRequestHeader("xc-auth", initialLocalStorage && initialLocalStorage.token);
xmlhttp.onload = function () {
const ui = SwaggerUIBundle({ const ui = SwaggerUIBundle({
url: "./swagger.json", // url: ,
spec: JSON.parse(xmlhttp.responseText),
dom_id: '#app', dom_id: '#app',
presets: [ presets: [
SwaggerUIBundle.presets.apis, SwaggerUIBundle.presets.apis,
SwaggerUIBundle.SwaggerUIStandalonePreset SwaggerUIBundle.SwaggerUIStandalonePreset
], ],
}) })
}
xmlhttp.send();
console.log('%c🚀 We are Hiring!!! 🚀%c\\n%cJoin the forces http://careers.nocodb.com', 'color:#1348ba;font-size:3rem;padding:20px;', 'display:none', 'font-size:1.5rem;padding:20px'); console.log('%c🚀 We are Hiring!!! 🚀%c\\n%cJoin the forces http://careers.nocodb.com', 'color:#1348ba;font-size:3rem;padding:20px;', 'display:none', 'font-size:1.5rem;padding:20px');
const linkEl = document.createElement('a') const linkEl = document.createElement('a')
linkEl.setAttribute('href', "http://careers.nocodb.com") linkEl.setAttribute('href', "http://careers.nocodb.com")

3
packages/nocodb/src/lib/utils/projectAcl.ts

@ -155,6 +155,7 @@ export default {
dataCount: true, dataCount: true,
upload: true, upload: true,
uploadViaURL: true, uploadViaURL: true,
swaggerJson:true
}, },
}, },
commenter: { commenter: {
@ -214,6 +215,7 @@ export default {
xcAuditModelCommentsCount: true, xcAuditModelCommentsCount: true,
xcExportAsCsv: true, xcExportAsCsv: true,
dataCount: true, dataCount: true,
swaggerJson:true
}, },
}, },
viewer: { viewer: {
@ -269,6 +271,7 @@ export default {
list: true, list: true,
xcExportAsCsv: true, xcExportAsCsv: true,
dataCount: true, dataCount: true,
swaggerJson:true
}, },
}, },
user_new: { user_new: {

Loading…
Cancel
Save