I'm currently using Swagger in my NestJS project, and I have the explorer enabled:
in main.js
const options = new DocumentBuilder()
.setTitle('My App')
.setSchemes('https')
.setDescription('My App API documentation')
.setVersion('1.0')
.build()
const document = SwaggerModule.createDocument(app, options)
SwaggerModule.setup('docs', app, document, {
customSiteTitle: 'My App documentation',
})
With this, the explorer is accessible in /docs
which is what I expected. But I was wondering if it's possible to add any Authentication layer to the explorer, so only certain requests are accepted.
I want to make this explorer accessible in production, but only for authenticated users.
Securing access to your Swagger with HTTP Basic Auth using NestJS with Express
First run npm i express-basic-auth
then add the following to your main.{ts,js}
:
import * as basicAuth from "express-basic-auth";
// ...
// Sometime after NestFactory add this to add HTTP Basic Auth
app.use(
// Paths you want to protect with basic auth
"/docs*",
basicAuth({
challenge: true,
users: {
yourUserName: "p4ssw0rd",
},
})
);
// Your code
const options = new DocumentBuilder()
.setTitle("My App")
.setSchemes("https")
.setDescription("My App API documentation")
.setVersion("1.0")
.build();
const document = SwaggerModule.createDocument(app, options);
SwaggerModule.setup(
// Make sure you use the same path just without `/` and `*`
"docs",
app,
document,
{
customSiteTitle: "My App documentation",
}
);
// ...
With this in place you will be prompted on any of the /docs
route with a HTTP Basic Auth prompt. We add the *
to also protect the generated JSON (/docs-json
) and YAML (/docs-json
) OpenAPI files. If you have any other route beginning with /docs
, that should not be protected, you should rather explicitly name the routes you want to protect in an array ['/docs', '/docs-json', '/docs-yaml']
.
You should not put the credentials in your code/repository but rather in your .env
and access via the ConfigService.
I have seen this solution first here.