package-lock.json was regenerated using Node@16.13.2
and npm@8.1.2. Along with that, these Node.js and npm
versions were set to .nvmrc file.
Given that the dependency tree now changed,
webpack config resolve aliases needed to be
amended to reflect the current dependency tree.
- New top-level field - `webhooks`. This allows describing out-of-band webhooks that are available as part of the API.
- New top-level field - `jsonSchemaDialect`. This allows defining of a default `$schema` value for Schema Objects
- The Info Object has a new `summary` field.
- The License Object now has a new `identifier` field for SPDX licenses. This `identifier` field is mutually exclusive with the `url` field. Either can be used in OpenAPI 3.1 definitions.
- Components Object now has a new entry `pathItems`, to allow for reusable Path Item Objects to be defined within a valid OpenAPI document.
- `License` and `Contact` components are now exported and available via `getComponent`
- New version predicates and selectors for `isOpenAPI30` and `isOpenAPI31`. This avoids needing to change the usage of `isOAS3` selector.
- New OAS3 components: `Webhooks`
- New OAS3 wrapped components: `Info`, `License`
* fix: show client secret input for PKCE auth code flow
PKCE and Client Secrets are allowed to coexist and neither is designed
as a replacement for the other. [1] It is wrong to assume that a client
secret must not or cannot be used in combination with PKCE. Quite the
opposite, when possible both PKCE and client secret should be used. [2]
So the premises of #6290 and #8146 are not correct.
Admittedly, for users of the PKCE mechanism WITHOUT a client secret it
might be a minor nuisance to see the client secret input in the Swagger
UI. But they can just leave it empty. On the other hand, for users of
the PKCE mechanism WITH a client secret it is more than just a nuisance
if the client secret input is not shown. The Swagger UI becomes unusable
for them (unless they've set a default value for the client secret,
which will be used hiddenly without being shown to the user).
Therefore the right course of action for now would be to revert #7438 to
show the client secret input always regardless of PKCE. In the future a
new flag could be introduced to hide the client secret input regardless
of the PKCE flag.
[1] https://oauth.net/2/pkce/
[2] https://www.oauth.com/oauth2-servers/pkce/
* docs: explain why client secret input is shown despite PKCE
* 'available authorization' popup: only show oauth2 scopes relevant for current endpoint (issue #8219)
* unit tests for oauth2 scope filter
Co-authored-by: Kai Morich <kai.morich@sap.com>
Co-authored-by: Tim Lai <timothy.lai@smartbear.com>
