package-lock.json was regenerated using Node@16.13.2
and npm@8.1.2. Along with that, these Node.js and npm
versions were set to .nvmrc file.
Given that the dependency tree now changed,
webpack config resolve aliases needed to be
amended to reflect the current dependency tree.
* fix: show client secret input for PKCE auth code flow
PKCE and Client Secrets are allowed to coexist and neither is designed
as a replacement for the other. [1] It is wrong to assume that a client
secret must not or cannot be used in combination with PKCE. Quite the
opposite, when possible both PKCE and client secret should be used. [2]
So the premises of #6290 and #8146 are not correct.
Admittedly, for users of the PKCE mechanism WITHOUT a client secret it
might be a minor nuisance to see the client secret input in the Swagger
UI. But they can just leave it empty. On the other hand, for users of
the PKCE mechanism WITH a client secret it is more than just a nuisance
if the client secret input is not shown. The Swagger UI becomes unusable
for them (unless they've set a default value for the client secret,
which will be used hiddenly without being shown to the user).
Therefore the right course of action for now would be to revert #7438 to
show the client secret input always regardless of PKCE. In the future a
new flag could be introduced to hide the client secret input regardless
of the PKCE flag.
[1] https://oauth.net/2/pkce/
[2] https://www.oauth.com/oauth2-servers/pkce/
* docs: explain why client secret input is shown despite PKCE
Makes the last `initOAuth` variable configurable via environment
variables in the swagger-ui docker image.
Co-authored-by: Christopher Giroir <chrisgiroir@improbable.io>
Co-authored-by: Tim Lai <timothy.lai@gmail.com>
Reading configuration parameters from URL search params
is by default no longer enabled. To re-enable it, set queryConfigEnabled
configuration parameter to true.
Functionally, this is a breaking change, but given we're just providing
a security vulnerability patch we're considering this a PATCH version bump
only.
Refs #4872
Refs https://github.com/swagger-api/swagger-ui/security/advisories/GHSA-qrmm-w75w-3wpx
This commit provides a backward compatible mechanism to chain wrap
an individual component multiple times
`Chain` mode: allow chaining of plugins on a given component
`Legacy` mode: last plugin to wrap a given component will supercede others
* chore: Add unit test for wrapComponent wrapping
* doc: Add documentation about the new pluginsOptions configuration
* doc: Add a sidenote on plugin-api page
Co-authored-by: Tim Lai <timothy.lai@gmail.com>
* feat: add tryItOutEnabled configuration
allow users to set tryItOutEnabled: true to display
the "Try it out" section by default
tryItOutEnabled to take === "true" for the
query string value or === true if someone
implements query string type parsing in the query
* Add default configuration `preserveAuthorization`
* Add localStorage to auth plugin
* Add persistAuthorization unit tests
* Refactor persistAuthorization to use wrapped actions
* Upgrade unit tests to be compatible with jest
* Add persistAuthorization documentation
Co-authored-by: Tim Lai <timothy.lai@gmail.com>
This commit changes markdown sanitization behaviour in following way:
class, style and data-* attributes are removed by default. These attributes
open possible vulnerability vectors to attackers.
The original behavior of sanitizer (before this commit) can be enabled by *useUnsafeMarkdown* configuration option.
Use this configuration option with caution and only in cases when you know
what you're doing.
