* fix: show client secret input for PKCE auth code flow
PKCE and Client Secrets are allowed to coexist and neither is designed
as a replacement for the other. [1] It is wrong to assume that a client
secret must not or cannot be used in combination with PKCE. Quite the
opposite, when possible both PKCE and client secret should be used. [2]
So the premises of #6290 and #8146 are not correct.
Admittedly, for users of the PKCE mechanism WITHOUT a client secret it
might be a minor nuisance to see the client secret input in the Swagger
UI. But they can just leave it empty. On the other hand, for users of
the PKCE mechanism WITH a client secret it is more than just a nuisance
if the client secret input is not shown. The Swagger UI becomes unusable
for them (unless they've set a default value for the client secret,
which will be used hiddenly without being shown to the user).
Therefore the right course of action for now would be to revert #7438 to
show the client secret input always regardless of PKCE. In the future a
new flag could be introduced to hide the client secret input regardless
of the PKCE flag.
[1] https://oauth.net/2/pkce/
[2] https://www.oauth.com/oauth2-servers/pkce/
* docs: explain why client secret input is shown despite PKCE
* 'available authorization' popup: only show oauth2 scopes relevant for current endpoint (issue #8219)
* unit tests for oauth2 scope filter
Co-authored-by: Kai Morich <kai.morich@sap.com>
Co-authored-by: Tim Lai <timothy.lai@smartbear.com>
* fix(request-snippets): prevent scrolling errors from missing function
* refactor(request-snippets): migrate to functional component
* fix(curl): remove undefined prop and function
* test(live-response): fix import of RequestSnippets
Makes the last `initOAuth` variable configurable via environment
variables in the swagger-ui docker image.
Co-authored-by: Christopher Giroir <chrisgiroir@improbable.io>
Co-authored-by: Tim Lai <timothy.lai@gmail.com>
Reading configuration parameters from URL search params
is by default no longer enabled. To re-enable it, set queryConfigEnabled
configuration parameter to true.
Functionally, this is a breaking change, but given we're just providing
a security vulnerability patch we're considering this a PATCH version bump
only.
Refs #4872
Refs https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx
- Update tabs to use <button> elements instead of <a>
- Add aria roles for tablist, tabs, and tabpanel
- Add aria attributes for additional a11y compliance and screen reader accessibility
- Replace ids with data-name attribute for tabpanels
- Add cypress test 7463 and update swos-63
- Move tabs test file to tests/a11y directory
- Rename test file to be more descriptive of what is being tested.
- Add id attributes to both tabs and tabpanels to leverage aria-controls and aria-labelledby attributes
Co-authored-by: Calvin Gonzalez <calvin.gonzalez@oddball.io>
Co-authored-by: Vladimir Gorej <vladimir.gorej@gmail.com>
Closes#7463
Refs #7350
* fix(ux): display actual content type instead of hard-coded application/octet-stream
* feat(ux): show file upload when schema has "format: binary", fixes#5636
* feat(ux): show file upload when schema has "format: base64"
According to
https://github.com/swagger-api/swagger-ui/pull/7325#issuecomment-861684260
the uploaded file should be converted to base64 automatically.
* feat(ux): add cypress tests for displaying an upload button
This commit provides a backward compatible mechanism to chain wrap
an individual component multiple times
`Chain` mode: allow chaining of plugins on a given component
`Legacy` mode: last plugin to wrap a given component will supercede others
* chore: Add unit test for wrapComponent wrapping
* doc: Add documentation about the new pluginsOptions configuration
* doc: Add a sidenote on plugin-api page
Co-authored-by: Tim Lai <timothy.lai@gmail.com>
* feat: adds a11y for ContentType & Responses region
* feat: adds a11y to expandable/collapsible elements
* fix: add aria label to select element for content types
* fix: add aria label prop to contentType component
* Change optag to h3 for better tag hierarchy
Co-authored-by: ediiotero <eddie.otero@oddball.io>
Co-authored-by: Mike Lumetta <mike.lumetta@adhocteam.us>
Co-authored-by: Alexander Valencia <alex.valencia@adhocteam.us>
* fix: required properties
schema required properties should not be treated like required: true.
this lead to objects that requires properties being treated as required itself
* test: try-it-out-schema-required-override-allowed
Co-authored-by: Tim Lai <timothy.lai@gmail.com>
