From 0e8fae87ab33521870e759e83c21fdfd0ca3d9ff Mon Sep 17 00:00:00 2001
From: Pranav C <pranavxc@gmail.com>
Date: Tue, 15 Nov 2022 01:53:54 +0530
Subject: [PATCH] feat: secure swagger endpoint

Signed-off-by: Pranav C <pranavxc@gmail.com>
---
 .../src/lib/meta/api/swagger/swaggerApis.ts   |  3 ++-
 .../src/lib/meta/api/swagger/swaggerHtml.ts   | 22 ++++++++++++++++++-
 packages/nocodb/src/lib/utils/projectAcl.ts   |  3 +++
 3 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/packages/nocodb/src/lib/meta/api/swagger/swaggerApis.ts b/packages/nocodb/src/lib/meta/api/swagger/swaggerApis.ts
index 26ddb20a95..48e395f8b0 100644
--- a/packages/nocodb/src/lib/meta/api/swagger/swaggerApis.ts
+++ b/packages/nocodb/src/lib/meta/api/swagger/swaggerApis.ts
@@ -2,6 +2,7 @@
 import catchError, { NcError } from '../../helpers/catchError';
 import { Router } from 'express';
 import Model from '../../../models/Model';
+import ncMetaAclMw from '../../helpers/ncMetaAclMw'
 import getSwaggerJSON from './helpers/getSwaggerJSON';
 import Project from '../../../models/Project';
 import swaggerHtml from './swaggerHtml';
@@ -42,7 +43,7 @@ const router = Router({ mergeParams: true });
 // todo: auth
 router.get(
   '/api/v1/db/meta/projects/:projectId/swagger.json',
-  catchError(swaggerJson)
+  ncMetaAclMw(swaggerJson, 'swaggerJson')
 );
 router.get('/api/v1/db/meta/projects/:projectId/swagger', (_req, res) =>
   res.send(swaggerHtml)
diff --git a/packages/nocodb/src/lib/meta/api/swagger/swaggerHtml.ts b/packages/nocodb/src/lib/meta/api/swagger/swaggerHtml.ts
index 3f82075ae2..9553459df0 100644
--- a/packages/nocodb/src/lib/meta/api/swagger/swaggerHtml.ts
+++ b/packages/nocodb/src/lib/meta/api/swagger/swaggerHtml.ts
@@ -12,14 +12,34 @@ export default `<!DOCTYPE html>
 </div>
 
 <script>
+
+let initialLocalStorage = {}
+
+try {
+  initialLocalStorage = JSON.parse(localStorage.getItem('nocodb-gui-v2') || '{}');
+} catch (e) {
+  console.error('Failed to parse local storage', e);
+}
+
+var xmlhttp = new XMLHttpRequest();   // new HttpRequest instance 
+xmlhttp.open("GET", "./swagger.json");
+xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
+xmlhttp.setRequestHeader("xc-auth", initialLocalStorage && initialLocalStorage.token);
+xmlhttp.onload = function () {
+
   const ui = SwaggerUIBundle({
-    url: "./swagger.json",
+    // url: ,
+    spec: JSON.parse(xmlhttp.responseText),
     dom_id: '#app',
     presets: [
       SwaggerUIBundle.presets.apis,
       SwaggerUIBundle.SwaggerUIStandalonePreset
     ],
   })
+}
+xmlhttp.send();
+
+  
   console.log('%c🚀 We are Hiring!!! 🚀%c\\n%cJoin the forces http://careers.nocodb.com', 'color:#1348ba;font-size:3rem;padding:20px;', 'display:none', 'font-size:1.5rem;padding:20px');
     const linkEl = document.createElement('a')
   linkEl.setAttribute('href', "http://careers.nocodb.com")
diff --git a/packages/nocodb/src/lib/utils/projectAcl.ts b/packages/nocodb/src/lib/utils/projectAcl.ts
index b10a856bb5..1791c93114 100644
--- a/packages/nocodb/src/lib/utils/projectAcl.ts
+++ b/packages/nocodb/src/lib/utils/projectAcl.ts
@@ -155,6 +155,7 @@ export default {
       dataCount: true,
       upload: true,
       uploadViaURL: true,
+      swaggerJson:true
     },
   },
   commenter: {
@@ -214,6 +215,7 @@ export default {
       xcAuditModelCommentsCount: true,
       xcExportAsCsv: true,
       dataCount: true,
+      swaggerJson:true
     },
   },
   viewer: {
@@ -269,6 +271,7 @@ export default {
       list: true,
       xcExportAsCsv: true,
       dataCount: true,
+      swaggerJson:true
     },
   },
   user_new: {