Swagger-UI: Add CSRF-Cookie to all requests

Question

I built an API that uses CSRF-Cookies for authentification. Now I want to document this API using OpenAPI/Swagger.

All routes are protected by a middleware that verifies the CSRF-Token, except for /sanctum/csrf-cookie , which is used to initially retrieve the Token.

Therefore, I need the Swagger-UI to include the cookie on each request. I followed the documentation, but it does not work.

Here's an excerpt from my Swagger-Definition:

security:
  - cookieAuth: []
paths:
  /sanctum/csrf-cookie:
    get:
      operationId: "getApiToken"
      responses:
        '204':
          description: "successful token retrieval"
          headers:
            Set-Cookie:
              schema:
                type: string
  /login:
    post:
      operationId: "loginUser"
      requestBody:
        content:
          application/json:
            schema:
              type: "object"
              properties:
                username:
                  type: string
                password:
                  type: string

components:
  securitySchemes:
    cookieAuth:
      type: apiKey
      in: cookie
      name: XSRF-TOKEN

As seen in the screenshot of my browsers network monitor, the headers of login request do not contain the XSRF-Token.

In Contrast, this is the exact same request sent by my frontend:

Please see the [linked Q&A](https://stackoverflow.com/questions/49272171/sending-cookie-session-id-with-swagger-3-0). Cookie auth is currently not supported in Swagger UI and Swagger Editor because of browser restrictions (more details in https://github.com/swagger-api/swagger-js/issues/1163). This is also mentioned on the [documentation page](https://swagger.io/docs/specification/authentication/cookie-authentication/) you linked to. — Helen, Jun 30 '21 at 19:55

Wishwa Perera · Answer 1 · 2021-06-30T14:50:56.013

0

It should be shown in the authorize (lock) icon on the top right corner of the rendered swagger document. In contrast you can add it to each request by adding the

  security:
   - api_key: []

block to each route definition. In that case the lock icon on the left side of the request panel in swagger ui should show the information. If you need to see them as headers make sure to add it to the route using a parameters block.

edited Jun 30 '21 at 14:50

answered Jun 30 '21 at 13:48

Wishwa Perera

357
1
10

Which value I am supposed to write in there? If I manually add the xsrf-token I receive form the API, nothing changes. Also, neither adding the security property to the requests nor changing the `in` value to `header` or any combination of those measures work. – mapawa Jun 30 '21 at 14:23
adding the security property to requests is optional if you need the authentication to apply to only a subset of operations other than all. As for including cookie information in the request please refer https://swagger.io/docs/specification/describing-parameters/#cookie-parameters . This is what i meant by adding to the parameters section. – Wishwa Perera Jun 30 '21 at 14:53

Swagger-UI: Add CSRF-Cookie to all requests

1 Answers1