CSRF Support in springdoc-openapi swagger-ui

4
votes

Is there a way to automatically include a CSRF header to requests made from swagger ui, when using the one bundled with springdoc-openapi?

A similar solution appears to be implemented in springfox (GitHub), but I find no information about whether this is possible to accomplish with springdoc-openapi.

2
spring-bootcsrfswagger-uispringdocspringdoc-openapi-ui
You can refer to the following link github.com/springfox/springfox/issues/1450 I don't know if I can help youwuchunfu
You have provided link to Springfox issue. Question is how to implement CSRF support in Springdoc library.Evgeniy Strepetov
Could you share us a minimal runnable sample?JRichardsz

2 Answers

2
votes

CSRF token are by default supported, if you are using standard headers.(for example using spring-security headers)

If the CSRF Token is required, swagger-ui automatically sends the new XSRF-TOKEN during each HTTP REQUEST.

That said - if your XSRF-TOKEN isn't standards-based, you can use a requestInterceptor to manually capture and attach the latest xsrf token to requests programmatically via spring resource transformer:

Also, CSRF is becoming less relevant over time, as browsers add user-agent level support for controls over cross-origin request cookie inclusion.

Starting from release v1.4.4 of springdoc-openapi, a new property is added to enable CSRF support, while using standard header names:

springdoc.swagger-ui.csrf.enabled=true
0
votes

SwaggerUI not including CSRF-TOKEN into request by default

If you are using React you can reuse the following code to include it manually:

import React from 'react';
import SwaggerUI from "swagger-ui-react"
import "swagger-ui-react/swagger-ui.css"
import Cookies from 'universal-cookie';

const cookies = new Cookies();

const DocsPage = () => (
  <SwaggerUI url="/v2/api-docs" requestInterceptor={(request) => {
    request.headers['X-XSRF-TOKEN'] = cookies.get("XSRF-TOKEN")
  }}/>
);

export default DocsPage;