I'm using Swashbuckle.AspNetCore to generate swagger and include the Swagger UI with my Web API project.
In order to mask a password field's entry, I implemented an ISchemaFilter as described here. (Basically it just adds "format": "password" to the field's schema in the swagger.json.)
This works for field entry:
...but after I send the request, the password is displayed in plain-text:
How can I hide the password text in these fields?
Swagger UI does not mask passwords or API keys in the generated cURL commands. As one of the developers explains:
think of the cURL command as a way to repeat the exact network request that happened in Swagger UI, outside of the UI
So there's no way to fully mask the passwords, apart from forking Swagger UI and implementing this functionality yourself.
On a side note, never send passwords in the query string. Send them in the request body instead.
Related
We are developing for one of your customers a method from our application (written exclusively in LiveCode Script) and need to utilise SOAP via a POST command directly from LiveCode. I eventually, after a lot of digging into the resources pages, found some reference on how to Post 'CreateAndSendEnvelope' from here:
CreateAndSendSchema
However, it does not show where to place login credentials for the user or company or whatever so that it is attributed to the correct account.
I found this question here which kind of points me in the right direction, but do you not have any specific documentation on how to set up your headers and body when using XML for both authenticating and sending a document via email using SOAP?
Providing a simple guide demonstrating the header required and the basic XML to POST to send a document with tags for signing to a single recipient by email using a senders user credentials would be perfect.
Thanks
Sean.
Pi Digital Productions Ltd
SOAP is still using what we call "Legacy Auth" which is the older, less secure, (not OAUTH) authentication.
To use that, you still need an IK (Integration Key) but you provide the username, password and IK in clear text inside a header called X-DocuSign-Authentication that looks like this:
'X-DocuSign-Authentication: { "Username":"DocuSign#example.com", "Password":"DocuSign_password", "IntegratorKey":"DocuSign_Integrator_Key" }'
Currently we're generating Swagger 2.0 documentation using Swashbuckle.AspNetCore. The authentication mechanism being used requires three headers:
X-API-KEY: The shared key
X-API-SIGN: Signature of the request composed of HMACSHA256 hashed value of Hashed secret, Timestamp, Method, Endpoint, and Body
X-API-TIMESTAMP: This is the same timestamp used in the signature
I don't think Swagger or Swashbuckle support this natively so I would likely need to set up some javascript to fill in hidden fields or something in the swagger docs.
I'm currently using an OperationFilter to prepend operation parameters to each request. This doesn't help me once the page loads though since the user will need to enter their API key and secret, which everything else is calculated based on. Clearly javascript will be required here.
Can anyone provide suggestions for how to handle this cleanly?
I wanted to put this as a comment but comments do not allow format so here you go:
The Swashbuckle.AspNetCore seems to be missing the InjectJavaScript feature:
https://github.com/domaindrivendev/Swashbuckle.AspNetCore/search?l=C%23&q=InjectJavaScript
It is there on the older project:
https://github.com/domaindrivendev/Swashbuckle/search?l=C%23&q=InjectJavaScript
That is what I've used to inject some javascript, without that we are very limited.
Now looking at this from a different perspective:
It seems you want to embed the authentication process on the swagger ui...
Maybe on the backend you should bypass the authentication if the request comes from Swagger-Ui
I am trying to use the swagger online editor http://editor.swagger.io/#/
There is a button called Authorize that opens a dialog where you can provide method of authorization. There are two options
The first is for OAuth2 and the second is for API-Key.
I can't figure out how to use these.
For OAuth2 authorization, a client ID is required.How does one get a client id?
For api-key authorization, the editor provides a key called special-key. When I make an API call even without special-key in postman, the API returns a valid response. Is this because the implementation work without keys too?
I am building an API following RESTful principles as much as possible. The request in discussion is to allow a user to check his/her credits available in a system. At the point of request, the system verifies the user by comparing the provided username and password already in the system. Please note that changing the authentication method (to OAuth or the like) is not an option at the moment.
As this is a "Read" request, GET method is used. So, I would have the following:
GET http://mydomain.com/credit?username=XYZ&password=123
By following the RESTful principle and using the verb properly I fear that the username and password is easily readable / accessible. In a non-API scenario I would have just used a normal form POST with SSL...
Am I wrong to assume the risk mentioned above?
You are quite correct that exposing the username and password in plain text in the query string is a bad idea. Like worse than the last three Star Wars movies.
You should be fine though if the same request is made over SSL (assuming a trusted certificate).
REST also has a host of other mechanisms for security like the DOSETA specifications for digital signatures, JSON Web Signature and Encryption, and so on. But you seemed to hint those kinds of things aren't an option.
The Http Authentication header is designed to store information such as username and password. You should use that.
My problem is we have a desktop app (i.e. not web based) which needs to communicate with the box API, from what I can tell OAuth which box uses for authorization, thats difficult to get that situation to work.
Does anyone have some sample C# code to show how it could be done.
Here's how i accomplished this
Created a form using the WebBrowser control
Using that form, navigated to the URL provided by the "GetAuthorizationUrl" method on the TokenProvider. Since I needed to provide a redirect URL I used a website associated with our company. The website would not actually "handle" this redirect request, but that was ok.
After entering my box user id/password and allowing access, the browser control is redirected to the URL specified. Embedded in that URL is the the temporary access token. I had a "Document Completed" event on the WebBrowser so I looked to see if the URL contained the string "code=".
Parsing the URL to get the temporary code I then used the TokenProvider to return the OAuthToken.
From the OAuthToken I could use the [box-csharp-sdk-v2] to create a BoxManager object that handled all the Box API calls.
To be honest its a little kludgy, but it seems to work.
to use Box API For Windows U Can use JWT Authentication which generate a token based on ClientId, Client Secret,Private key ,Public Key And Enterprise key .
this token Will Provided On user basic
there Are Two types of user
1.Admin
2.App user
so there is no need to Login
reference Doc:
https://box-content.readme.io/docs/app-auth
Box Windows SDK
https://github.com/box/box-windows-sdk-v2