feat: enable swagger-ui token

[jannyHou]

The spike PR for loopbackio/loopback-next#2027
Details are explained in the readme file.

[hacksparrow]

With the limitations and the next plans explained in the docs, this is looking good. Excellent job @jannyHou 👍

[bajtos]

Great work, @jannyHou. I especially like the screenshot you are adding to README 👍

I'd like to discuss the implementation details though, please see my second comment below.

[bajtos]

Suggested change

	You can check the swagger
	You can check the OpenAPI

[bajtos]

I believe it should be fine to call this.api() just with Security parts, because the code gathering spec from controllers & routes will merge that new spec with the object supplied to this.api().

Have you tried to call this.api() from the constructor?

export class ShoppingApplication extends BootMixin(
  ServiceMixin(RepositoryMixin(RestApplication)),
) {
  constructor(options?: ApplicationConfig) {
    super(options);

    this.api({
      components: {
          ...SECURITY_SCHEMA_SPEC,
      },
      security: SECURITY_SPEC,
  });

  // etc.
}

In my opinion, the security spec does not depend on the app being started, therefore it should be available even before app.start() is called. Thoughts?

[bajtos]

Should we perhaps add a story to improve app.api() to intelligently merge the new spec with any spec provided by previous calls of app.api()?

[jannyHou]

@bajtos Now app.api() takes in an entire spec in type OpenAPISpec, not Partial<OpenAPISpec>, that's why it's not possible to merge a partial spec into the generated server's spec.

Do we want to change its behaviour to take in a partial OpenAPI spec? If so I can create a story for it :), see comment loopbackio/loopback-next#2027 (comment)

[bajtos]

Well, what are the required fields? Isn't it just a paths object that can be empty?

this.api({
  components: {
    ...SECURITY_SCHEMA_SPEC,
  },
  security: SECURITY_SPEC,
  paths: {
    // will be filled by LoopBack from controller metadata
  }
});

[jannyHou]

@bajtos Not really, the problem is the openapi and info fields, they are required and especially the info object, you cannot provide an empty value like '' or {}.

See my last commit, to call this.api(), I have to provide valid value for openapi and info, but the rest server doesn't overwrite them later.

The good spec filled by rest server:

The one generated by calling this.api() with "empty" openapi and info fields:

We can improve this by defining and checking the empty value of openapi and info, like

// in rest server
if (spec.openapi == '') {// generate openapi field }
if (spec.info.title == '' && spec.info.version == '') {// generate info field}

Thought? If this is the right direction for improvement I can create an issue (or just submit a PR)

[bajtos]

I see, thank you for explaining the details!

I think that ideally, I'd like:

• app.api() require fields like info to force the user to provide these required fields. The current implementation is good for that 👍
• Have a way for extensions to contribute additional OpenAPI metadata. This could be a new method in Application or RestServer, but we can also use binding-based approach where the app collects OpenAPI metadata from bindings with a given tag (or other metadata-based specification). I think this is out of scope of your current work (both on the spike and on enabling auth in swagger-ui), so let's create a spike issue to research different options.

As for this spike PR, I think the current proposal (as shown in the committed code) is good enough and no further changes are necessary 👍

/cc @raymondfeng

[raymondfeng]

We're already exploring the idea to create an extension point to enhance the generated OpenAPI spec so that the application or other extensions can add code to transform the spec.

[bajtos]

IIUC, this is configuring basicAuth schema. Is that intentional? I thought that we use bearerAuth schema everywhere. Or is this just for the spike?

[jannyHou]

@bajtos Oh this is just a demo, for spike only, I just want to verify that a operation level security policy(which is different than the global bearerAuth) works.

I thought that we use bearerAuth schema everywhere

Exactly 💯

[agnes512]

I don't know much about the implement part. But the README writeup is pretty straightforward~! Just a few comments.

[agnes512]

-> will be hidden

[agnes512]

your new entry -> the new added entry better?

[bajtos]

LGTM with a small comment to consider.

[bajtos]

Can you fill title and version with something more meaningful please? Personally, I'd use metadata from package.json.

import * as package from '../package.json';
// ...

info: {title: package.name, version: package.version}

[jannyHou]

updated 👌

[raymondfeng]

@jannyHou Please fix the code-lint issue.

[jannyHou]

Follow up stories see loopbackio/loopback-next#2027 (comment)

[jannyHou]

servers: [{url: '/'}]

[jannyHou]

or config it when create the rest app:

https://loopback.io/doc/en/lb4/Server.html#customize-how-openapi-spec-is-served

[jannyHou]

Closed as the tutorial is added :)