I followed the following link from swagger documentation to create swagger json for my rest api.
https://swagger.io/docs/specification/2-0/describing-request-body/
In my rest api, I have request body and http headers like Content-Type and Authorization that go along with the service request.
I was wondering if there is a way to include request body and http header information in the swagger json ? I don't see that information in the swagger docs.
The Content-Type header of requests and responses is defined by the consumes and produces keywords, respectively. They can be specified on the operation level or on the root level of the spec.
The Authorization header is defined using the securityDefinitions and security keywords. OpenAPI/Swagger 2.0 supports Basic authentication, API keys and OAuth 2.
Other headers can be defined as in: header parameters.
For example, if an operation POSTs JSON and uses Basic auth, you can describe it as follows:
swagger: '2.0'
...
securityDefinitions: # Authorization, part 1
basicAuth:
type: basic
paths:
/something:
post:
summary: POST some JSON
consumes:
- application/json # Request Content-Type
produces:
- application/json # Response Content-Type
security:
- basicAuth: [] # Authorization, part 2
parameters:
- in: body
name: body
required: true
schema:
$ref: '#/definitions/Something'
responses:
200:
description: OK
Relevant documentation:
MIME Types
Authentication
Describing Parameters
Related
I have this config file for my Google Cloud Platform API Gateway endpoint:
swagger: '2.0'
info:
title: api-1
description: API Gateway First for Testing
version: 1.0.0
securityDefinitions:
api_key_header:
type: apiKey
name: key
in: header
schemes:
- https
produces:
- application/json
paths:
/endpoint1:
post:
summary: Simple echo service
operationId: echo-1
x-google-backend:
address: https://<CLOUD FUNCTION GEN 2 NAME>-<MORE IDENTIFYING INFO>-uc.a.run.app
security:
- api_key_header: []
responses:
'200':
description: OK
As you can see, I'm trying to require an API key in order for my server to call the API safely. In my opinion, an API key is necessary for security to prevent someone from figuring out my endpoint and spaming the GCP function.
I created an API key to use for this API endpoint (I censored a lot of data for privacy reasons):
I tried to call the endpoint in Postman like this:
curl --location --request POST 'https://<API CALLABLE ENDPOINT>.uc.gateway.dev/endpoint1' \
--header 'X-goog-api-key: <MY API KEY HERE>' \
--header 'Content-Type: application/json; charset=utf-8' \
--data-raw '{
"name": "Test1"
}'
The problem is that the Postman request works... always lol. No matter what incorrect API key I use for the header...
I noticed that there is no place where I'm directly referencing my API key name. I'm not sure where I'd put this. How do I alter this API Gateway to properly reject requests that do not contain the correct API key?
All available formats are specified on this documentation.
When requesting Api Key through the header, you have to match a specific name which is "x-api-key".
So for your openapi file, it gives the following securityDefinitions:
securityDefinitions:
api_key_header:
type: "apiKey"
name: "x-api-key"
in: "header"
And the curl request should have this header then:
--header 'x-api-key: <MY API KEY HERE>'
I have a Swagger 2.0 file that has an auth mechanism defined but am getting errors that tell me that we aren't using it. The exact error message is “Security scheme was defined but never used”.
How do I make sure my endpoints are protected using the authentication I created? I have tried a bunch of different things but nothing seems to work.
I am not sure if the actual security scheme is defined, I think it is because we are using it in production.
I would really love to have some help with this as I am worried that our competitor might use this to their advantage and steal some of our data.
swagger: "2.0"
# basic info is basic
info:
version: 1.0.0
title: Das ERP
# host config info
# Added by API Auto Mocking Plugin
host: virtserver.swaggerhub.com
basePath: /rossja/whatchamacallit/1.0.0
#host: whatchamacallit.lebonboncroissant.com
#basePath: /v1
# always be schemin'
schemes:
- https
# we believe in security!
securityDefinitions:
api_key:
type: apiKey
name: api_key
in: header
description: API Key
# a maze of twisty passages all alike
paths:
/dt/invoicestatuses:
get:
tags:
- invoice
summary: Returns a list of invoice statuses
produces:
- application/json
operationId: listInvoiceStatuses
responses:
200:
description: OK
schema:
type: object
properties:
code:
type: integer
value:
type: string
securityDefinitions alone is not enough, this section defines available security schemes but does not apply them.
To actually apply a security scheme to your API, you need to add security requirements on the root level or to individual operations.
security:
- api_key: []
See the API Keys guide for details.
I'm invoking a HTTP GET request to another system using RESTEasy with resteasy-client:3.12.1.Final (provided by WildFly 20.0.1.Final).
ResteasyClient client = new ResteasyClientBuilder().build;
ResteasyWebTarget target = client.target(fromPath(url));
Response response = target.request()
.header(AUTHORIZATION, "Basic <authentication_token>")
.accept(APPLICATION_JSON)
.get()
As you can see, I don't configure anything "special" in the ResteasyClientBuilder but for some reason all requests contain this header parameter: Accept-Encoding: gzip which causes some trouble on the remote side.
The RESTEasy documentation however states:
RESTEasy supports (though not by default - see below) GZIP
decompression. If properly configured, the client framework or a
JAX-RS service, upon receiving a message body with a Content-Encoding
of "gzip", will automatically decompress it. The client framework can
(though not by default - see below) automatically set the
Accept-Encoding header to be "gzip, deflate" so you do not have to set
this header yourself.
From my understanding the gzip parameter should not be set by default. Or are there any other possible default configurations which might add this parameter?
You might want to try this:
Variant variant = new Variant(MediaType.JSON_APPLICATION, "", "gzip");
Response response = client.target(generateURL("/big/send")).request().post(Entity.entity(b, variant));
Requirement -
User will hit an URL and a CSV is downloaded on calling machine.
Implementation
Below is my RAML (1.0) definition
/{format}:
is: [ genericErrorResponsesCompliant ]
get:
description: Get/Download list of all ACTIVE accounts in a given format (CSV/JSON) default is JSON
body:
application/json:
responses:
200:
body:
application/octet-stream:
202:
body:
application/json:
404:
body:
application/json:
example: !include resources/json/example/error/error-resource-not-found-response-example.json
ISSUE:
When request are sent using -
API-Console to invoke the API, a CSV response is seen
postman - I get UnsupportedMediaTypeException in Mule Console
postman (when Content-Type application/json is passed) CSV output is seen in the response section
browser I get the error UnsupportedMediaTypeException
Question
If i do not set the content-type then the API-Kit fails validation and an exception is sent. Is there a way where a default Content-Type is set as application/json and the end-user can access the url from the browser and the csv is downloaded?
I should be able to overcome Exception thrown by API-Kit
If you need any more information let me know, but I am struggling to get this done. Any help will be appreciated.
Exception
Root Exception stack trace:
org.mule.module.apikit.exception.UnsupportedMediaTypeException
at org.mule.module.apikit.HttpRestRequest.handleUnsupportedMediaType(HttpRestRequest.java:306)
at org.mule.module.apikit.HttpRestRequest.negotiateInputRepresentation(HttpRestRequest.java:300)
Environment
Mule 3.8 runtime on Studio version 6.1.1
It's because you have this for the GET request:
get:
description: Get/Download list of all ACTIVE accounts in a given format (CSV/JSON) default is JSON
body:
application/json:
Remove body: application/json there's no need for it on the GET request. It will then allow you invoke the API without a Content-type.
I wish if it worked.
Get the same exception. RAML after #ryan-carter suggestions
/{format}:
is: [ genericErrorResponsesCompliant ]
get:
description: Get list of all ACTIVE accounts for a given country in a given format (CSV/JSON) default is JSON
headers:
Content-Type:
default:
'*/*'
responses:
200:
body:
application/octet-stream:
I have a problem with WebDAV. I have to get a list of files. I have this request:
<?xml version="1.0"?>
<D:searchrequest xmlns:D = "DAV:">
<D:sql>
SELECT "DAV:displayname" FROM "address" WHERE "DAV:ishidden" = false AND "DAV:isfolder" = false
</D:sql>
</D:searchrequest>
Response:
401 - Unauthorized: Access is denied due to invalid credentials.
I have user and password (who has access), but I don't know, how I can put this data to XML request.
WebDAV uses an HTTP authentication.
So you put your credentials to an HTTP header, not to the WebDAV XML in the HTTP body.
The basic HTTP authentication works like:
You get a WWW-Authenticate header from the server
WWW-Authenticate: Basic realm="server"
You include the Authorization header to the next request. The value of the header is:
Authorization: Basic username:password
where the username:password is in Base-64 encoding.
Authorization: Basic dXNlcjpwYXNzd29yZA==
For details, see
Basic access authentication on Wikipedia
RFC 7235: Hypertext Transfer Protocol (HTTP/1.1): Authentication