* fix: show client secret input for PKCE auth code flow
PKCE and Client Secrets are allowed to coexist and neither is designed
as a replacement for the other. [1] It is wrong to assume that a client
secret must not or cannot be used in combination with PKCE. Quite the
opposite, when possible both PKCE and client secret should be used. [2]
So the premises of #6290 and #8146 are not correct.
Admittedly, for users of the PKCE mechanism WITHOUT a client secret it
might be a minor nuisance to see the client secret input in the Swagger
UI. But they can just leave it empty. On the other hand, for users of
the PKCE mechanism WITH a client secret it is more than just a nuisance
if the client secret input is not shown. The Swagger UI becomes unusable
for them (unless they've set a default value for the client secret,
which will be used hiddenly without being shown to the user).
Therefore the right course of action for now would be to revert #7438 to
show the client secret input always regardless of PKCE. In the future a
new flag could be introduced to hide the client secret input regardless
of the PKCE flag.
[1] https://oauth.net/2/pkce/
[2] https://www.oauth.com/oauth2-servers/pkce/
* docs: explain why client secret input is shown despite PKCE
* 'available authorization' popup: only show oauth2 scopes relevant for current endpoint (issue #8219)
* unit tests for oauth2 scope filter
Co-authored-by: Kai Morich <kai.morich@sap.com>
Co-authored-by: Tim Lai <timothy.lai@smartbear.com>
* #8057 Fix audio src change issue caused by reconciliation algorithm and that is why audio file load is not starting.
Co-authored-by: Roman Melnyk <r.melnyk@smartrockstars.com>
* fix(request-snippets): prevent scrolling errors from missing function
* refactor(request-snippets): migrate to functional component
* fix(curl): remove undefined prop and function
* test(live-response): fix import of RequestSnippets
SwaggerUI is now built using `webpack@5`, with dev support for `webpack-dev-server@4`
- ES Module output bundle path now points to `swagger-ui-es-bundle-core`, which does not include dependencies
- No change to CommonJS output bundle or path
- Now uses Asset Modules, which replaces `file-loader`, `raw-loader`, and `url-loader`
- Removed unused rules/loaders for `.woff | .woff2 | .ttf | .eot` fonts and html
- Node polyfills are no longer bundled with `webpack@5`, and must be loaded separately and/or use `resolve.fallback`.
As an example, SwaggerUI loads `process`, `buffer`, and `stream-browserify` as `devDependencies` in order to build development and production bundles.
SwaggerUI-React
- Now imports `swagger-ui-es-bundle-core`, and similarly outputs `swagger-ui-es-bundle-core` to its `dist` directory
Dev notes:
- Order of execution matters for the production npm build scripts. `build-stylesheets` needs to get built first,
then cleanup of any empty artifacts, before building the various production bundles
- `Dev-helpers` now relies on `HTMLWebpackPlugin` to inject css and bundle files
Before this change, memoization happened only on first
argument provided to the functions. Now the memoization
properly handle all arguments.
Refs #7800
Reading configuration parameters from URL search params
is by default no longer enabled. To re-enable it, set queryConfigEnabled
configuration parameter to true.
Functionally, this is a breaking change, but given we're just providing
a security vulnerability patch we're considering this a PATCH version bump
only.
Refs #4872
Refs https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx
SyntaxHighlighter component doesn't support ref. We had
to use different approach to finds it's DOM Node using
ref of the root Node of the render tree for HighlightCode
component.
Refs #7497
