api_key not send as header param when pressing Explore button

[pjmolina]

The latest sources of swagger-ui I was not able to send the api_key using the UI as header param.

Repro sample:
Using http://petstore.swagger.io/ point to: https://model-101.herokuapp.com/api/swagger.json using apikey = icinetic does not sends credentials -> 401.

Server accepts it via header, cookie or query param string.

Using the following one makes the trick but without using api_key header:

Using http://petstore.swagger.io/ point to: https://model-101.herokuapp.com/api/swagger.json?api_key=icinetic using apikey = `` works -> 200.

Tested with petstore.swagger.io and a local enviroment with the latest sources.
Is is a bug or I am missing something? Thxz.

[webron]

Yup, this is a known issue (#1160). It's currently fixed in the develop_2.0 branch, so please give it a try.

[pjmolina]

After trying it with develop_2.0 branch, I am afraid, is still happening. :(

See the (missing) headers sent by swagger-ui (no credentials are included):

Call:

GET https://model-101.herokuapp.com/api/swagger.json HTTP/1.1
Host: model-101.herokuapp.com
Connection: keep-alive
accept: application/json;charset=utf-8,*/*
Origin: http://localhost:5000
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
Referer: http://localhost:5000/swagger-ui-2/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: es-ES,es;q=0.8,en-US;q=0.6
If-None-Match: W/"6zUC/s1vtCY+cW/x0A4Qaw=="

Response:

HTTP/1.1 401 Unauthorized
Server: Cowboy
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With, Content-Type
Access-Control-Allow-Methods: OPTIONS,GET,POST,PUT,DELETE
Content-Type: text/html; charset=utf-8
Content-Length: 13
Etag: W/"d-cd263ca0"
Set-Cookie: connect.sid=s%3AHyxh5LG-mOgGdxwoNlI6wqKXXRhx0BA2.AZPxVXxvHC99yvU8d5MFLqaTTp5ZmZB9bYalO7Sfxsc; Path=/; HttpOnly
Vary: Accept-Encoding
Date: Wed, 06 May 2015 11:22:30 GMT
Via: 1.1 vegur

Unauthorized.

Calling it direcly with credentials on query https://model-101.herokuapp.com/api/swagger.json?apiKey=icinetic
or header adding apiKey: icinetic works as expected.

[nddery]

We have the same problem either using develop_2.0 or master branch. It won't send the api_key as query or header, none currently works.

[fehguy]

Hi, I've been through this several times and I don't believe there is an issue with keys being set. Can you please share your swagger spec?

[pjmolina]

Sure Tony. The spec is here:
https://model-101.herokuapp.com/api/swagger.json?apiKey=icinetic

Thanks

[fehguy]

OK, here's the issue. You have keys like this:

security: [ ],
operationId: "create_apikeys",
summary: "Create some admin-apikeys",
description: "Create one or more admin-apikeys.",
tags: ["_apikeys"]

Note the security array is empty. That means, per the swagger spec, that "no security is required" and therefore the UI will not pass any headers. You have two options.

1. add a security requirement instead of an empty array. This requirement should match a security definition.

2. remove the security array altogether. That means "add all headers"

[pjmolina]

Thanks Toni. I will test & fix my side it asap.

[pjmolina]

Tested and working. Thanks!

[fehguy]

Great news. We're going to work on some better documentation for this.