CDS Authentication on $api-docs

[TornadoM]

Hello all,

Thanks a lot for this tool. I have a question regarding the Swagger route. Hope this is the right place for it. It seems that the Swagger endpoint (e.g. /$api-docs/...) is publicly accessible by default. Is there a way to protect it using CDS authentication?

In a CDS service definition, we can do something like this:

service AAAA @(requires: ['xxxxxx']) @(path: '/xxxxx');

But how can we achieve something similar for the CDS Swagger UI?

We’d like only users with specific scopes to be able to access the documentation.

Thanks a lot for your help.

[chgeo]

In a CDS service definition, we can do something like this:

service AAAA @(requires: ['xxxxxx']) @(path: '/xxxxx');

But how can we achieve something similar for the CDS Swagger UI?

At the moment, that's not possible I am afraid. The endpoint is added on express-level, and not through CAP. If I added it trough CAP, swagger-ui-express can't be bootstrapped on the same URL path.

One way I could imagine this to work is to use CAP's auth APIs programmatically to check for the required scopes. Needs more time to investigate...

[nils]

I recently tried to implement similar functionality by re-implementing cds-swagger-ui-express in the form of a protocol adapter:

@protocol: ['swaggerui', 'odata-v4']
service MyService {
....
}

I haven't finished that approach because we found another (quick, but ugly) workaround for authorization.

@chgeo Do you think changing this plugin to a protocol adapter approach is generally thinkable? If so, I would invest a little bit more into the idea and provide it as a PR for a potential new (major?) version. I guess it would help in this instance because then we are at the CAP level.

PS: We have now switched to the protocol adapter for our purposes, which brings us the @requires check for free.
@chgeo: Please let me know if it is worth "repackaging" the adapter as a plugin in your opinion.

[chgeo]

Please let me know if it is worth "repackaging" the adapter as a plugin in your opinion.

@nils That's interesting, I've never thought about it.
Could you link the code here?