Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvements to the OpenAPI Docs #14754

Merged
merged 11 commits into from
Apr 11, 2024
Merged

Improvements to the OpenAPI Docs #14754

merged 11 commits into from
Apr 11, 2024

Conversation

bergmania
Copy link
Member

@bergmania bergmania commented Aug 31, 2023
edited
Loading

Description

This PR ensures that the endpoints in the management API, reports it can return the following statuses

  • 401 - Unauthorized
    • If it do not have AllowAnonymousAttribute - This is the same logic that already shows the authentication "lock" symbol
  • 403 - Forbidden
    • If it has at least 3 AuthorizeAttribute
      • The two from ManagementApiControllerBase will always ensure you have access to backoffice and can disable the controller. If other are present, there is a risk the user do not have access, and thereby a 403 returned.
    • If the constructor injects IAuthorizationService, as all dynamic policies will use this pattern. Also here there is a risk the user do not have access to a given resource and thereby a 403 returned.

Furthermore, we also ensure the APIs only accept the application/json header, and not plain/text and other defaults.

Test

  • Ensure endpoints that require authentication documents the possible 401
  • Ensure endpoints that require but potentially your user do not have access to, documents the possible 403

Bonus

I also tested what happens if I am authenticated but I remove all the tokens from the database. In that case a 401 is returned as expected.

@bergmania
Ensure APIS only can produce one response type
a51b9ca
@bergmania
Ensure APIs document Unauthorized and Forbidden results
5d518d7
@bergmania
If a controller constructor injects IAuthorizationService we assume t…
ddd1f28 
…he actions can return forbidden
@bergmania
Updated OpenApi.json
7b1a202
@bergmania
Merge remote-tracking branch 'refs/remotes/origin/v14/dev' into v14/f…
837c7a6 
…eature/swagger-docs

# Conflicts:
#	src/Umbraco.Cms.Api.Management/Controllers/ManagementApiControllerBase.cs
#	src/Umbraco.Cms.Api.Management/OpenApi.json
#	src/Umbraco.Cms.Api.Management/OpenApi/BackOfficeSecurityRequirementsOperationFilter.cs
@bergmania
Merge remote-tracking branch 'origin/v14/dev' into v14/feature/swagge…
3614b11 
…r-docs

# Conflicts:
#	src/Umbraco.Cms.Api.Management/OpenApi.json
@bergmania
OpenApi.json
da411f1
@bergmania
Merge branch 'v14/dev' into v14/feature/swagger-docs
394c5be 
# Conflicts:
#	src/Umbraco.Cms.Api.Management/OpenApi.json
@bergmania
Update OpenApi.json
ed6f8b3
@bergmania bergmania closed this Apr 11, 2024
@bergmania bergmania reopened this Apr 11, 2024
@bergmania bergmania closed this Apr 11, 2024
@bergmania bergmania reopened this Apr 11, 2024
@bergmania
Merge remote-tracking branch 'refs/remotes/origin/v14/dev' into v14/f…
5aa1241 
…eature/swagger-docs

# Conflicts:
#	src/Umbraco.Cms.Api.Management/OpenApi.json
@bergmania
Update OpenApi.json
139cd55
@bergmania bergmania merged commit 782c009 into v14/dev Apr 11, 2024
16 checks passed
@bergmania bergmania deleted the v14/feature/swagger-docs branch April 11, 2024 09:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Migaroez Migaroez Migaroez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bergmania @Migaroez