feat(auth): add auth.expose_docs flag to view API docs without a token
The /docs, /redoc and /openapi.json routes are gated by AuthRequired, so a browser can't open them on plain navigation (no way to attach a Bearer token). Add an opt-in auth.expose_docs flag (default off) that relaxes ONLY those three routes to anonymous access (loopback + LAN) via a new verify_docs_access dependency. Every real endpoint stays protected, and a startup WARNING fires when the flag is on. - config: AuthConfig.expose_docs: bool = False - auth: verify_docs_access / DocsAccess dependency - main: docs routes use DocsAccess; startup warning - default_config.yaml: documented flag - tests: docs anonymous when exposed; real endpoints still 401
This commit is contained in:
@@ -22,6 +22,14 @@ auth:
|
||||
# api_keys:
|
||||
# my-client: "replace-with-output-of-openssl-rand-hex-32"
|
||||
|
||||
# Expose the interactive API docs (/docs, /redoc, /openapi.json) WITHOUT a
|
||||
# Bearer token so they can be opened directly in a browser. When true, this
|
||||
# applies to loopback AND LAN clients. Only the API *surface* (route paths +
|
||||
# parameter schemas) is exposed — calling an endpoint from Swagger still
|
||||
# requires the token via its "Authorize" button, and every other route stays
|
||||
# protected. Leave false unless you want browsable docs on your network.
|
||||
expose_docs: false
|
||||
|
||||
# Storage paths default to ./data relative to the server's working directory.
|
||||
# Set LEDGRAB_DATA_DIR in the environment to point at a different data root
|
||||
# (the whole dir — both the database and assets), or uncomment the block
|
||||
|
||||
Reference in New Issue
Block a user