Hello,
I noticed that swagger can be accessed from anywhere even without the user being logged in. Now, my repositories are protected but I don’t really like someone to have access even to the rest data without being logged in.
Thanks.
We don’t provide any way to hide the swagger apis. I suppose you could use a proxy in front of nxrm to block requests to that url, but then admins wouldn’t be able to see them either. The tooling we’re currently using doesn’t provide us with an easy way to restrict access to the swagger apis base on the current user so I doubt this will change anytime soon.
Hello again,
That’s understandable about the swagger ui. But, at the endpoints should be protected. There is no point in securing the view if it can be accessed through the api. For example it is possible to do a curl GET operation to the repositories endpoint without any authentication. It is understandable that repository is protected but its existence can be known through the api.
The endpoints should require the same security as the UI. For example, the repository list endpoint should only show repositories the user has access to from what I can tell. If you see a gap please open up a bug ticket on https://issues.sonatype.org/ in the NEXUS project.
1 Like
FYI, recent versions of Nexus Repository Manager now use the official Swagger UI React Component instead of the old iframe approach. That means the swagger-ui page is no longer available outside of the admin menu. That still doesn’t hide the REST APIs or the swagger json.