Authorization header override in Swagger UI with Nginx

Julian Source

I'm trying to set up a Swagger UI page with my current Nginx configuration, but I'm running into an issue with the HTTP authorization header. The Nginx configuration is as follows:

server {
    listen 80;
    server_name myapi.example.com;

    location / {
            proxy_pass http://127.0.0.1:9000;
            proxy_redirect off;
            proxy_buffering off;

            proxy_http_version 1.1;

            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location ~ ^/(docs|api-docs) {
            auth_basic "Restricted";
            auth_basic_user_file /home/ubuntu/.htpasswd;

            proxy_pass http://127.0.0.1:9000;

            proxy_http_version 1.1;
    }
}

I'm attempting to set Basic auth for the resources concerning the documentation, while having the rest of the APIs have their own authorization engine following the Bearer scheme. So for example, to access the URL https://myapi.example.com/docs or https://myapi.example.com/api-docs I will need to provide a username and password, and to make a successful call to https://myapi.example.com/myresource1 I will need to send the header Authorization: Bearer <token> in the request with a valid access token.

This setup works as expected, except through Swagger UI. The "Try it out" functionality breaks by sending the wrong authorization header. Instead of receiving a header of the form Authorization: Bearer <token>, the server is receiving Authorization: Basic <value> with the credentials used to access the documentation page.

Worth mentioning, the Swagger UI setup for the header looks like this:

window.authorizations.add("key", new ApiKeyAuthorization(
    "Authorization", "Bearer " + key, "header", ":"));

This works when running Swagger UI locally, but breaks when running against the Nginx server. Also, everything works if I remove the second location from the Nginx configuration (loosing Basic auth on /docs and /api-docs).

nginxhttp-headersauthorizationswaggerswagger-ui

Answers

answered 4 years ago Julian #1

After doing some more research, I think this is due to the browser caching the Basic auth credentials and automatically sending them in the header in subsequent requests.

http://en.wikipedia.org/wiki/Basic_access_authentication

I decided to follow the advice in this article and implement an auth mechanism for the documentation and the Swagger UI page.

comments powered by Disqus