Restrict(VisibilityTo = RequestAttributes.Localhost)] does not work in Swagger

francis · September 3, 2021, 3:44pm

Hi,

I have the following attributes on a service:
Restrict(VisibilityTo = RequestAttributes.Localhost)]
[Api(“Non-Public administrative endpoints”)]

I see 2 problems:

The endpoints in /metadata with the JSON icon greyed out.
The endpoints do not appear at all in /swagger-ui

How can I make the endpoints visible in swagger when viewed from localhost?

Thanks,

Francis

mythz · September 3, 2021, 3:48pm

Context sensitive visibility is not available in Swagger UI unless you use conditional compilation to remove it from debug builds, e.g:

#if !DEBUG
[Restrict(VisibilityTo = RequestAttributes.Localhost)]
#endif

Can you show a screenshot of the metadata page? Does this only happen in DebugMode i.e. Config.DebugMode=true?

francis · September 3, 2021, 4:05pm

There should be a " [Admin (Non-Public)]" group visible.

I get the same whether HostConfig.DebugMode is TRUE or FALSE:

mythz · September 3, 2021, 4:16pm

I mean for the metadata page, the Swagger UI is the Stock UI.

francis · September 3, 2021, 4:19pm

Ah, sorry.

Here is what it should look like (I put the #if !DEBUG line):

Here is what it looks like without #if !DEBUG:

same url: 127.0.0.1:8900/metadata

mythz · September 3, 2021, 6:20pm

Ok what you want is:

[Restrict(VisibleLocalhostOnly = true)]

Because otherwise you would need to specify at a minimum least which format it applies to, i.e. for all formats you can use:

[Restrict(VisibilityTo = RequestAttributes.Localhost | RequestAttributes.AnyFormat)]

But really you would want to specify all the request attributes where the request is visible which would be:

[Restrict(VisibilityTo=RequestAttributes.Localhost | RequestAttributes.AnyFormat
 | RequestAttributes.AnySecurityMode | RequestAttributes.AnyHttpMethod
 | RequestAttributes.AnyCallStyle | RequestAttributes.AnyEndpoint)]

and is what this short-hand does:

[Restrict(VisibleLocalhostOnly = true)]

mythz · September 3, 2021, 6:53pm

As I don’t believe this behavior is intuitive I’ve also changed VisibilityTo and AccessTo to behave like the other properties where only specifying 1 request attribute implies that the other Request Attribute types are valid so that this:

[Restrict(VisibilityTo = RequestAttributes.Localhost)]

Is now equivalent to:

[Restrict(VisibleLocalhostOnly = true)]

Which is the same as allowing all other Request Attribute types, i.e:

[Restrict(VisibilityTo=RequestAttributes.Localhost | RequestAttributes.AnyFormat
 | RequestAttributes.AnySecurityMode | RequestAttributes.AnyHttpMethod
 | RequestAttributes.AnyCallStyle | RequestAttributes.AnyEndpoint)]

This change is available from v5.12.1+ that’s now available on MyGet.

francis · September 6, 2021, 1:46pm

I have been a licensed user for years and this was my first time asking a support question. I am totally blown away. Your professionalism, response time, and the fact that you are the product creator and modified the source instantly is exceptional!