Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

JWT Bearer authentication no longer works since update to openapi v2

See original GitHub issue

Issue

Previously in v9.4.2 the apikey textbox entry could be used to paste in a jwt and the following securityDefinitions object would work without issue:

          securityDefinitions:
          {
            jwt:
            {
              type: 'apiKey',
              name: 'Authorization',
              in: 'header'
            }
          }

Since updating to 10.0.2 and after entering a jwt into the dialog from the authorize button in the swagger ui, this no longer works and the only header that is sent is the accept header.

Environment

    Node: 10.15.3 - C:\Program Files (x86)\nodejs\node.EXE
    Yarn: 1.16.0 - C:\Program Files (x86)\Yarn\bin\yarn.CMD
    npm: 6.7.0 - C:\Program Files (x86)\nodejs\npm.CMD

    "@hapi/good": "^8.2.0",
    "@hapi/good-console": "^8.1.0",
    "@hapi/good-squeeze": "^5.2.0",
    "@hapi/hapi": "^18.3.1",
    "@hapi/inert": "^5.2.1",
    "@hapi/vision": "^5.5.2",
    "hapi-auth-jwt2": "^8.6.1",
    "hapi-swagger": "^10.0.2",

Steps to Reproduce

Setup hapi-swagger with the securityDefinition shown above
Enter a value into the dialog launched from the authorize button
Trigger an endpoint that requires authorisation and determine if the authorization header is sent

Issue Analytics

State:
Created 4 years ago
Comments:11

Top GitHub Comments

11reactions

arimuscommented, Aug 16, 2019

For those that are interested, I was trying to sort through this issue and during my testing I found that a small config tweak caused my Swagger UI to start sending Authorization headers to my backend again:

      let [err] = await to(server.register([
        require('inert'),
        require('vision'),
        {
          plugin: require('hapi-swagger'),
          options: {
            info: {
              title: 'Title',
              description: 'Description',
              version: '1.0'
            },
            grouping: 'tags',
            sortEndpoints: 'ordered',
            documentationPath: '/docs',
            securityDefinitions: {
              'jwt': {
                'type': 'apiKey',
                'name': 'Authorization',
                'in': 'header'
                // 'x-keyPrefix': 'Bearer '
              }
            },
            security: [{ jwt: [] }], // THIS WAS THE KEY. Without this, the Authorization headers are never sent, but with them they are!
          }
        }
      ]));

And this is with the current latest release, no modifications from the jwt fix branch needed.

1reaction

robmcguinnesscommented, Jul 31, 2019

@emanuelet work was started in https://github.com/glennjones/hapi-swagger/tree/fix/jwt-authentication for potential fix but my bandwidth is limited at moment. Contributions would be appreciated.