HTML disallows having multiple IDs with the same value.
In reality this is for 1Password's feature where you can create
custom fields named like input IDs and 1Password fill pre-fill that.
* Change existing icons to React wrapper components
* Add `icons` plugin to expose Icon components to plugin system
* Create components that re-export Lock and Unlock components so they can be changed separately in Authorise top button and Authorise operation summary button
* Add new Lock and Unlock icons to `auth` plugin
---------
Co-authored-by: Vladimír Gorej <vladimir.gorej@smartbear.com>
* fix: show client secret input for PKCE auth code flow
PKCE and Client Secrets are allowed to coexist and neither is designed
as a replacement for the other. [1] It is wrong to assume that a client
secret must not or cannot be used in combination with PKCE. Quite the
opposite, when possible both PKCE and client secret should be used. [2]
So the premises of #6290 and #8146 are not correct.
Admittedly, for users of the PKCE mechanism WITHOUT a client secret it
might be a minor nuisance to see the client secret input in the Swagger
UI. But they can just leave it empty. On the other hand, for users of
the PKCE mechanism WITH a client secret it is more than just a nuisance
if the client secret input is not shown. The Swagger UI becomes unusable
for them (unless they've set a default value for the client secret,
which will be used hiddenly without being shown to the user).
Therefore the right course of action for now would be to revert #7438 to
show the client secret input always regardless of PKCE. In the future a
new flag could be introduced to hide the client secret input regardless
of the PKCE flag.
[1] https://oauth.net/2/pkce/
[2] https://www.oauth.com/oauth2-servers/pkce/
* docs: explain why client secret input is shown despite PKCE
* Handle relative urls for oauth authorization
The full URL is computed based on the current selected server
if a relative URL is used as authorizationUrl
or tokenUrl
Co-authored-by: Eliot Berriot <contact@eliotberriot.com>
* Add default configuration `preserveAuthorization`
* Add localStorage to auth plugin
* Add persistAuthorization unit tests
* Refactor persistAuthorization to use wrapped actions
* Upgrade unit tests to be compatible with jest
* Add persistAuthorization documentation
Co-authored-by: Tim Lai <timothy.lai@gmail.com>
This commit changes markdown sanitization behaviour in following way:
class, style and data-* attributes are removed by default. These attributes
open possible vulnerability vectors to attackers.
The original behavior of sanitizer (before this commit) can be enabled by *useUnsafeMarkdown* configuration option.
Use this configuration option with caution and only in cases when you know
what you're doing.
* Fix basic-auth.jsx: do not require password in UI
password is not PropTypes.string.isRequired, but the markup wrongly makes it mandatory
* Do not require password input in http-auth.jsx
This is used by the Authorize modal. Not sure when the similar code from basic-auth.jsx is used.
Co-authored-by: kyle shockey <kyle.shockey1@gmail.com>
* clears authentications when logout is clicked
* tests the headers sent in the network request
* adds test for multiple api keys
* refactors tests to extract common uses
* correct test message description
Co-authored-by: kyle shockey <kyleshockey@gmail.com>
* set new bundlesize goal
* preserve `GeneratorFunction` instead of all function names
* use js-yaml fork that doesn't require esprima
* set HTML content directly, instead of using React-Markdown
* use remarkable for all Markdown rendering
* add babel-plugin-transform-react-remove-prop-types
* remove SplitPaneMode plugin
* remove react-collapse
* remove AST plugin, and yaml-js
* trim Markdown HTML string output before rendering
* disable obsolete function name preservation
* add `getComponent` to propTypes
* Use `parameterWithMeta` to get parameter data in <ParameterRow>
* Prefer specPath when fetching resolved subtrees in OperationContainer
* Add test for OAS3 callback rendering
* Remove debugger statement
* Pass base resolution URL directly to Swagger-Client subtree resolver
* Remove accidental comment
* Migrate additional options
* Don't default to empty Map when getting subtree
* fix(validateParam): check for ImList type before using count method
* Use `replaceState` to update `urls.primaryName`
This gives us the stateful URL we want, without:
(a) refreshing the page on update
(b) creating a long, useless history for the user
(c) implying that browser history is two-way bound
to Swagger-UI (it isn't, we don't have a router)
* Add `fn.opsFilter` docs and internal API versioning note
* restrict `x-example` functionality to Swagger 2.0
* polish Authorize + Close buttons
* add tachyons; use it for padding the new Reset button
* v3.12.0
* rebuild dist
If the swagger.json defines more than one oauth2 Security scheme with
matching scopes, the id of the scope checkboxes were not unique.
As a result the scope for a second security scheme could not be
selected.
By adding the security scheme name to the id, it becomes more unique.
