change: make swagger docs compatible with access/authorization code flow

mgoetzegb · mgoetzegb · commit acb82646bf3e · 2026-04-17T13:12:22.000+02:00
Note: It is not yet compatible with authorization code + PKCE. If that becomes necessary see open PR of related package: swaggo/echo-swagger#100
diff --git a/pkg/swagger/README.md b/pkg/swagger/README.md
@@ -12,6 +12,7 @@ To use the latest swagger-ui (by using github.com/swaggo/files/v2) we needed to
 ## Sources used
 To compile the new package we took the gin-echo package (https://github.com/swaggo/echo-swagger/blob/master/swagger.go) as a reference and added the gin based functionality.
 
+*Note:* It is not yet compatible with `Authorization Code + PKCE` login flow. If that becomes necessary see open PR of related package: https://github.com/swaggo/echo-swagger/pull/100 as a start.
 
 ## Usage
 
@@ -50,18 +51,25 @@ import "github.com/greenbone/opensight-golang-libraries/pkg/swagger"
 
 ## Index
 
-- [Variables](<#variables>)
-- [func DeepLinking\(deepLinking bool\) func\(\*Config\)](<#DeepLinking>)
-- [func DocExpansion\(docExpansion string\) func\(\*Config\)](<#DocExpansion>)
-- [func DomID\(domID string\) func\(\*Config\)](<#DomID>)
-- [func GinWrapHandler\(options ...func\(\*Config\)\) gin.HandlerFunc](<#GinWrapHandler>)
-- [func InstanceName\(instanceName string\) func\(\*Config\)](<#InstanceName>)
-- [func OAuth\(config \*OAuthConfig\) func\(\*Config\)](<#OAuth>)
-- [func PersistAuthorization\(persistAuthorization bool\) func\(\*Config\)](<#PersistAuthorization>)
-- [func SyntaxHighlight\(syntaxHighlight bool\) func\(\*Config\)](<#SyntaxHighlight>)
-- [func URL\(url string\) func\(\*Config\)](<#URL>)
-- [type Config](<#Config>)
-- [type OAuthConfig](<#OAuthConfig>)
+- [ginSwagger](#ginswagger)
+  - [Reason for implementation](#reason-for-implementation)
+  - [Sources used](#sources-used)
+  - [Usage](#usage)
+- [License](#license)
+- [ginSwagger](#ginswagger-1)
+  - [Index](#index)
+  - [Variables](#variables)
+  - [func DeepLinking](#func-deeplinking)
+  - [func DocExpansion](#func-docexpansion)
+  - [func DomID](#func-domid)
+  - [func GinWrapHandler](#func-ginwraphandler)
+  - [func InstanceName](#func-instancename)
+  - [func OAuth](#func-oauth)
+  - [func PersistAuthorization](#func-persistauthorization)
+  - [func SyntaxHighlight](#func-syntaxhighlight)
+  - [func URL](#func-url)
+  - [type Config](#type-config)
+  - [type OAuthConfig](#type-oauthconfig)
 
 
 ## Variables
diff --git a/pkg/swagger/ginSwagger.go b/pkg/swagger/ginSwagger.go
@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"path/filepath"
 	"regexp"
+	"strings"
 
 	"github.com/gin-gonic/gin"
 	swaggerFiles "github.com/swaggo/files/v2"
@@ -26,6 +27,7 @@ type Config struct {
 	PersistAuthorization bool
 	SyntaxHighlight      bool
 	OAuth                *OAuthConfig
+	CSPConnectSrc        []string
 }
 
 type OAuthConfig struct {
@@ -82,6 +84,15 @@ func OAuth(config *OAuthConfig) func(*Config) {
 	}
 }
 
+// CSPConnectSrc adds URLs to the Content Security Policy's connect-src directive.
+// This is necessary to allow the Swagger UI to communicate with Keycloak for authentication.
+// Note: The connect-src directive expects only scheme://host:port without paths
+func CSPConnectSrc(urls ...string) func(*Config) {
+	return func(c *Config) {
+		c.CSPConnectSrc = append(c.CSPConnectSrc, urls...)
+	}
+}
+
 func newConfig(configFns ...func(*Config)) *Config {
 	config := Config{
 		URLs:                 []string{"doc.json", "doc.yaml"},
@@ -106,13 +117,23 @@ var WrapHandler = GinWrapHandler()
 func GinWrapHandler(options ...func(*Config)) gin.HandlerFunc {
 	config := newConfig(options...)
 	index, _ := template.New("swagger_index.html").Parse(indexTemplate)
-	re := regexp.MustCompile(`^(.*/)([^?].*)?[?|.]*$`)
+	re := regexp.MustCompile(`^(.*/)([^?]*)?(\?.*)?$`) // e.g. /api/users?sort=name => [ "api/", "users", "?sort=name" ]
 
 	return func(c *gin.Context) {
 		// Set security headers to protect against ClickJacking and XSS
 		c.Header("X-Frame-Options", "DENY")
 		c.Header("X-XSS-Protection", "1; mode=block")
-		c.Header("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; frame-ancestors 'none'")
+		csp := []string{
+			"default-src 'self'",
+			"script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net",
+			"frame-ancestors 'none'",
+		}
+		if len(config.CSPConnectSrc) > 0 {
+			sources := append(config.CSPConnectSrc, "'self'")
+			connectSrc := "connect-src " + strings.Join(sources, " ")
+			csp = append(csp, connectSrc)
+		}
+		c.Header("Content-Security-Policy", strings.Join(csp, "; "))
 		c.Header("X-Content-Type-Options", "nosniff")
 
 		if c.Request.Method != http.MethodGet {
