From be72c292cae62bcaf743adc6236707962bc60bad Mon Sep 17 00:00:00 2001
From: Segev Finer <segev208@gmail.com>
Date: Wed, 20 Mar 2019 21:36:08 +0200
Subject: [PATCH] feature: add `withCredentials` configuration key (via #5149)

* Add the withCredentials configuration key

It enables passing credentials in CORS requests. e.g. Cookies and
Authorization headers.

* Improve withCredentials documentation

* Add unit tests for the withCredentials config

* Update configuration.md

* Update configuration.md

* only set `withCredentials` Fetch flag if the config value is truthy

there are some workarounds in the wild today that involve setting `withCredentials` on `system.fn.fetch` directly.

this approach avoids mangling those existing workarounds!

* add more test cases

* Update configs-wrap-actions.js

* Update index.js
---
 docker/configurator/variables.js              |  6 +-
 docs/usage/configuration.md                   |  5 +-
 src/core/index.js                             |  1 +
 .../swagger-js/configs-wrap-actions.js        |  8 ++
 src/core/plugins/swagger-js/index.js          |  8 +-
 .../plugins/swagger-js/withCredentials.js     | 94 +++++++++++++++++++
 6 files changed, 118 insertions(+), 4 deletions(-)
 create mode 100644 src/core/plugins/swagger-js/configs-wrap-actions.js
 create mode 100644 test/core/plugins/swagger-js/withCredentials.js

diff --git a/docker/configurator/variables.js b/docker/configurator/variables.js
index f99aa3ee..a7aa4ff3 100644
--- a/docker/configurator/variables.js
+++ b/docker/configurator/variables.js
@@ -86,6 +86,10 @@ const standardVariables = {
   VALIDATOR_URL: {
     type: "string",
     name: "validatorUrl"
+  },
+  WITH_CREDENTIALS: {
+    type: "boolean",
+    name: "withCredentials",
   }
 }
 
@@ -102,4 +106,4 @@ const legacyVariables = {
   }
 }
 
-module.exports = Object.assign({}, standardVariables, legacyVariables)
\ No newline at end of file
+module.exports = Object.assign({}, standardVariables, legacyVariables)
diff --git a/docs/usage/configuration.md b/docs/usage/configuration.md
index e718c667..ffbc1806 100644
--- a/docs/usage/configuration.md
+++ b/docs/usage/configuration.md
@@ -71,6 +71,7 @@ Parameter name | Docker variable | Description
 <a name="showMutatedRequest"></a>`showMutatedRequest` | `SHOW_MUTATED_REQUEST` | `Boolean=true`. If set to `true`, uses the mutated request returned from a requestInterceptor to produce the curl command in the UI, otherwise the request before the requestInterceptor was applied is used.
 <a name="supportedSubmitMethods"></a>`supportedSubmitMethods` | `SUPPORTED_SUBMIT_METHODS` | `Array=["get", "put", "post", "delete", "options", "head", "patch", "trace"]`. List of HTTP methods that have the Try it out feature enabled. An empty array disables Try it out for all operations. This does not filter the operations from the display.
 <a name="validatorUrl"></a>`validatorUrl` | `VALIDATOR_URL` | `String="https://online.swagger.io/validator" OR null`. By default, Swagger-UI attempts to validate specs against swagger.io's online validator. You can use this parameter to set a different validator URL, for example for locally deployed validators ([Validator Badge](https://github.com/swagger-api/validator-badge)). Setting it to `null` will disable validation.
+<a name="withCredentials"></a>`withCredentials` | `WITH_CREDENTIALS` | `Boolean=false` If set to `true`, enables passing credentials, [as defined in the Fetch standard](https://fetch.spec.whatwg.org/#credentials), in CORS requests that are sent by the browser. Note that Swagger UI cannot currently set cookies cross-domain (see [swagger-js#1163](https://github.com/swagger-api/swagger-js/issues/1163)) - as a result, you will have to rely on browser-supplied cookies (which this setting enables sending) that Swagger UI cannot control.
 
 ##### Macros
 
@@ -81,7 +82,7 @@ Parameter name | Docker variable | Description
 
 ### Instance methods
 
-**💡 Take note! These are methods, not parameters**. 
+**💡 Take note! These are methods, not parameters**.
 
 Method name | Docker variable | Description
 --- | --- | -----
@@ -91,7 +92,7 @@ Method name | Docker variable | Description
 
 ### Docker
 
-If you're using the Docker image, you can also control most of these options with environment variables. Each parameter has its environment variable name noted, if available. 
+If you're using the Docker image, you can also control most of these options with environment variables. Each parameter has its environment variable name noted, if available.
 
 Below are the general guidelines for using the environment variable interface.
 
diff --git a/src/core/index.js b/src/core/index.js
index def68aa2..50632bcc 100644
--- a/src/core/index.js
+++ b/src/core/index.js
@@ -51,6 +51,7 @@ module.exports = function SwaggerUI(opts) {
     defaultModelsExpandDepth: 1,
     showExtensions: false,
     showCommonExtensions: false,
+    withCredentials: undefined,
     supportedSubmitMethods: [
       "get",
       "put",
diff --git a/src/core/plugins/swagger-js/configs-wrap-actions.js b/src/core/plugins/swagger-js/configs-wrap-actions.js
new file mode 100644
index 00000000..34d0e158
--- /dev/null
+++ b/src/core/plugins/swagger-js/configs-wrap-actions.js
@@ -0,0 +1,8 @@
+export const loaded = (ori, system) => (...args) => {
+  ori(...args)
+  const value = system.getConfigs().withCredentials
+  
+  if(value !== undefined) {
+    system.fn.fetch.withCredentials = typeof value === "string" ? (value === "true") : !!value
+  }
+}
diff --git a/src/core/plugins/swagger-js/index.js b/src/core/plugins/swagger-js/index.js
index 7ecfe957..171a7f5c 100644
--- a/src/core/plugins/swagger-js/index.js
+++ b/src/core/plugins/swagger-js/index.js
@@ -1,4 +1,5 @@
 import Swagger from "swagger-client"
+import * as configsWrapActions from "./configs-wrap-actions"
 
 module.exports = function({ configs, getConfigs }) {
   return {
@@ -22,6 +23,11 @@ module.exports = function({ configs, getConfigs }) {
       },
       serializeRes: Swagger.serializeRes,
       opId: Swagger.helpers.opId
-    }
+    },
+    statePlugins: {
+      configs: {
+        wrapActions: configsWrapActions
+      }
+    },
   }
 }
diff --git a/test/core/plugins/swagger-js/withCredentials.js b/test/core/plugins/swagger-js/withCredentials.js
new file mode 100644
index 00000000..ca98065d
--- /dev/null
+++ b/test/core/plugins/swagger-js/withCredentials.js
@@ -0,0 +1,94 @@
+import expect, { createSpy } from "expect"
+import { loaded } from "corePlugins/swagger-js/configs-wrap-actions"
+
+describe("swagger-js plugin - withCredentials", () => {
+  it("should have no effect by default", () => {
+    const system = {
+      fn: {
+        fetch: createSpy().andReturn(Promise.resolve())
+      },
+      getConfigs: () => ({})
+    }
+    const oriExecute = createSpy()
+
+    const loadedFn = loaded(oriExecute, system)
+    loadedFn()
+
+    expect(oriExecute.calls.length).toBe(1)
+    expect(system.fn.fetch.withCredentials).toBe(undefined)
+  })
+
+  it("should allow setting flag to true via config", () => {
+    const system = {
+      fn: {
+        fetch: createSpy().andReturn(Promise.resolve())
+      },
+      getConfigs: () => ({
+        withCredentials: true
+      })
+    }
+    const oriExecute = createSpy()
+
+    const loadedFn = loaded(oriExecute, system)
+    loadedFn()
+
+    expect(oriExecute.calls.length).toBe(1)
+    expect(system.fn.fetch.withCredentials).toBe(true)
+  })
+  
+  it("should allow setting flag to false via config", () => {
+    const system = {
+      fn: {
+        fetch: createSpy().andReturn(Promise.resolve())
+      },
+      getConfigs: () => ({
+        withCredentials: false
+      })
+    }
+    const oriExecute = createSpy()
+
+    const loadedFn = loaded(oriExecute, system)
+    loadedFn()
+
+    expect(oriExecute.calls.length).toBe(1)
+    expect(system.fn.fetch.withCredentials).toBe(false)
+  })
+  
+   it("should allow setting flag to true via config as string", () => {
+    // for query string config
+    const system = {
+      fn: {
+        fetch: createSpy().andReturn(Promise.resolve())
+      },
+      getConfigs: () => ({
+        withCredentials: "true"
+      })
+    }
+    const oriExecute = createSpy()
+
+    const loadedFn = loaded(oriExecute, system)
+    loadedFn()
+
+    expect(oriExecute.calls.length).toBe(1)
+    expect(system.fn.fetch.withCredentials).toBe(true)
+  })
+  
+  it("should allow setting flag to false via config as string", () => {
+    // for query string config
+    const system = {
+      fn: {
+        fetch: createSpy().andReturn(Promise.resolve())
+      },
+      getConfigs: () => ({
+        withCredentials: "false"
+      })
+    }
+    const oriExecute = createSpy()
+
+    const loadedFn = loaded(oriExecute, system)
+    loadedFn()
+
+    expect(oriExecute.calls.length).toBe(1)
+    expect(system.fn.fetch.withCredentials).toBe(false)
+  })
+})