rough cosmos
Hi ya'll
I'm wondering if i can create a custom login form for swagger to protect certain APIs
i'd like it to be username + password
but unlike basic auth, I want to shoot a request to a local (same server) route, and use the returned access-token as Bearer
best idea i saw online was to just create a basic auth and a middleware to grab it, but that's real dirty in comparison to the other proper authentication methods i already have implemented.
will appreciate any good ideas.
thanks
gusty sandal
Since our app is behind an aws LoadBalancer, we use a Listener Rule for this route. We also use Cognito with a custom AD behind it. So this setup was very easy to use. I bet you could do something similar with a custom route. Depends on your setup, but i guess this should also be possible with nginx or any other LB.
If you don't use a LB, you could add a normal route, guard it and return the swagger json as data. then you just need to solve the issue to get the swagger json.
Another way, but not really secure, you can inject customJs in the swagger module. see docs https://docs.nestjs.com/openapi/introduction#setup-options
But you would still send the api doc to the frontend. So if someone wants, it would still be possible to get the data.
rough cosmos
thanks for the reply @gusty sandal
i couldn't 100% grasp what you've proposed.
my suspicion is that we're addressing different types of security, it sounds to me like you're referring to the security of loggin into the swagger page itself.
whereas i am looking for a solution for locking specific routes behind a username+password API that returns a JWT.
screenshot attached to better convey what my issue is
i hate that i have to use a different API to return the bearer token and then manually insert it to auth
