-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(rest): remove support for HTTP redirect to an external API Explorer #6290
Conversation
BREAKING CHANGE: LoopBack no longer supports automatic redirect to an externally hosted API Explorer UI. Instead, we provide an extension that implements a self-hosted API Explorer UI. See the following documentation page for instructions on setting up a self-hosted API Explorer: - https://loopback.io/doc/en/lb4/Self-hosted-rest-api-explorer.html By default, applications scaffolded using `lb4 app` are coming with a pre-configured API Explorer. If you have scaffolded your application with `@loopback/cli` version `1.2.0` (published in Nov 2018) or later, then no changes are necessary in your project. Signed-off-by: Miroslav Bajtoš <[email protected]>
Signed-off-by: Miroslav Bajtoš <[email protected]>
@bajtos I wonder if we should remove the feature. Some companies may have a site-wide API explorer to render OpenAPI specs in a consistent look-and-feel. Maybe it's better to consolidate the |
Interesting, I didn't consider the use case of having a site-wide API explorer. Let's keep the feature then. I am not sure if it's a good idea to put redirect-to-explorer to
This is not a big deal for apps running the latest version of all modules, but it may become a problem in the future, as we are already witnessing for LoopBack 3 - see strongloop/loopback-component-explorer#263. I am closing this pull request. |
@bajtos I am actually in favor for this PR. What is a site-wide API explorer? |
@raymondfeng can you elaborate "site-wide API explorer"? The lighter the framework, the better. |
For example, BTW, the redirected api explorer is also a good validation of At least, we should poll the community to see if people are using the redirect. |
Such a requirement can be easily be implemented by users themselves without having to depend on our configuration (and implementation) for a hosted Explorer. The problem with us providing the hosted Explorer option:
Add @bajtos's points too. Let's take this "major" opportunity to fix it. |
Also, if I am not wrong, the decision to enable CORS by default was made to support the hosted Explorer. By not supporting the legacy Explorer behavior we will be able to make CORS a more conscious effort on the user's part; then disabling CORS would simply mean not using the CORS extension. Currently disabling CORS is done by passing First off, that's not a pleasant looking config object for humans. By extracting CORS to a standalone extension we can skip the Secondly, someone might re-enable CORS by setting CORS is a complicated config, which can lead to lot of security issues if done wrong. We should avoid all defaults and let users takes 100% responsibility of how they set it up. Read how "safe" CORS configs can go wrong - https://portswigger.net/web-security/cors. Once LB4 grows in popularity, security will become a major concern. We should address it now. |
After this PR lands we should do this - Extract CORS to a standalone extension. |
A bit of history: Back in 2017/2018, we wanted to offer REST API Explorer early on, because we considered it a cornerstone of developer experience. The framework did not provide all the necessary infrastructure yet, therefore we decided to take a short-cut and host swagger-ui at loopback.io. Eventually, we implemented self-hosted REST API Explorer towards the end of 2018 and kept support for external API Explorer for backwards compatibility.
I feel it's past time to drop that legacy. Since we will are already introducing breaking changes in #6288 that will trigger a semver-major release of
@loopback/rest
, I'd like to take this opportunity to get rid of external API explorer too.BREAKING CHANGE
LoopBack no longer supports automatic redirect to an externally hosted API Explorer UI. Instead, we provide an extension that implements a self-hosted API Explorer UI. See the following documentation page for instructions on setting up a self-hosted API Explorer:
By default, applications scaffolded using
lb4 app
are coming with a pre-configured API Explorer. If you have scaffolded your application with@loopback/cli
version1.2.0
(published in Nov 2018) or later, then no changes are necessary in your project.Checklist
npm test
passes on your machinepackages/cli
were updatedexamples/*
were updated👉 Check out how to submit a PR 👈