Jump to content

Swagger API Help

ShadowKindjal

By ShadowKindjal
in Linux

 Share

Recommended Posts

ShadowKindjal

ShadowKindjal   19

Posted
  • Author
Posted

To conclude, there isn't a secure way to notify swagger I'm using a reverse proxy and enable HTTPS requests. Is that a correct assumption?

Link to comment
Share on other sites
ShadowKindjal

ShadowKindjal   19

Posted
  • Author
Posted
On 3/28/2023 at 12:13 AM, Luke said:

What do you mean by notify swagger?

I may be using the wrong terminology but I'm asking if there's a way to notify Swagger that I'm using HTTPS via a reverse proxy. Right now Swagger loads with a HTTP address.

 

image.thumb.png.474b1fe4128a846db0ffd569b71e91ea.png

Link to comment
Share on other sites
ShadowKindjal

ShadowKindjal   19

Posted
  • Author
Posted

I figured it would load with my HTTPS prefixed web address unless I'm understanding something incorrectly. Attempting to run Swagger APIs fails because of the wrong URL. Copying the request URL and switching to HTTPS works.

Link to comment
Share on other sites
rbjtech

rbjtech   4274

Posted
Posted (edited)

Rewind a bit - are you trying to use swagger (https://swagger.emby.media) to send remote API requests to your external site via https ?

If yes, then just change the 'serverUrl' to https and it'll work.

If you wanna use http - then you can - but it needs to be localhost due to CORS.  You can add an exception into the browser which allows you to use other hosts as well (this is what I do).

In Edge - 'edge://flags' - then add your emby url (http) and you can access it via the swagger API (https) using a local http listener.

image.png.134ce6e81637a4d348c4eb3d0e15f436.png

Edited by rbjtech
Link to comment
Share on other sites
ShadowKindjal

ShadowKindjal   19

Posted
  • Author
Posted
5 hours ago, softworkz said:

Do you mean that this link

image.png.a7f21f1f8e2ae1216c6bff1cbeed1987.png

...is referring to your server with an http URL instead of an https URL?

So essentially, you are asking for the letter 's' to be added to that URL, right?

Yes, that's what I was referring to. I apologize for not making that clear.

Link to comment
Share on other sites
rbjtech

rbjtech   4274

Posted
Posted
3 hours ago, softworkz said:

Ah yes, you're right. He would need to add the serverUrl parameter, like this: https://emby.domain.org/emby/openapi?serverUrl=https%3A%2F%2Femby.domain.org

Yep - that's what I said in a previous reply  ... ;) 

https://emby.media/community/index.php?/topic/110642-swagger-api-help/&do=findComment&comment=1241449

  • Like 1
Link to comment
Share on other sites
rbjtech

rbjtech   4274

Posted
Posted
3 hours ago, softworkz said:

But not when you add the 's' here, right?

image.png.ab4ba6481825d9e80f336389d237997a.png

Agreed - if you add the https into the URL - swagger then using it ongoing (as the listed 'server').

  • Like 1
Link to comment
Share on other sites
softworkz Emby Team

softworkz   3337

Posted
Posted

The reasons why this is a bit complicated are these:

The swagger/openapi spec is intended to describe rest api services in the cloud that are reachable via a fixed defined URL, but in case of Emby, there are at multiple possible URLs how one might can access the server:

  • localhost
  • LAN IP
  • LAN host/dns name (with or without SSL)
  • Public IP
  • Public host/dns name (with or without SSL)

And for all these cases, there may be different ports in place.
Usually Emby 'knows' all these from the network configuration where you can define this.

But at the time when I had done all this, OpenAPI (Swagger 3.0) was just brand-new and Swagger (2.0) doesn't allow specifying multiple server URLs. Yet we wanted to support 2.0 as well, so I came to the "trick" of serving the swagger JSON document dynamically, which works in a way that the server uses the http(s) through which the swagger.json or openapi.json documents are requested, to build the server URL and put it into the json doc before it's being served.

This way, the URL in the doc is (almost) always the right one.

OpenAPI allow specifying multiple URLs (that's why you see a dropdown), but I chose not to populate them from the server configuration for two reasons:

  • Security
    The swagger/openapi docs are accessible without authentication and adding all the server urls to the doc would reveal your internal ports and IP addresses
  • Auto-Authorization
    The hosted swagger UI (https://swagger.emby.media/) has a few modifications. One of them is automatic authorization. 
    When you go through the link from the dashboard page, it conveys an api_key with which you are authorized automatically and you're ready to try out the APIs.
    This wouldn't work when there would be multiple URLs

I guess I made it all a bit too convenient. After all, it was just meant to be an API documentation for developers as we didn't have any at that time (until recently: https://dev.emby.media/reference/RestAPI.html), When it doesn't work perfectly in a few edge cases, then I wouldn't see that as a critical thing as there are multiple easy ways to deal with it:

  1. Just save the corrected URL somewhere and use it instead of the API link
  2. Download the OpenAPI document, enter the correct server url and save it wherever you want
    (on some web server,  web storage, or even put it somewhere under 'dashboard-ui' in the Emby server installation, so you can access it through Emby)
  3. Save it locally and load it into any of the swagger.io tools or postman or whatever...

For 2 and 3, you'll need to authorize manually by entering the api_key, but that's not really a big thing.

  • Thanks 1
Link to comment
Share on other sites
rbjtech

rbjtech   4274

Posted
Posted (edited)

Thanks for the Info @softworkz

While on the topic - is there a way on the emby server to reject non-local LAN use of an API key ?

I purposely remove remote access for my only Admin user - would this apply to an API key remote request (which effectively acts as an Admin user ?)

I reject swagger on the Reverse Proxy, but I'd like to block it on the emby server as well if possible..

thanks.

Edited by rbjtech
Link to comment
Share on other sites
softworkz Emby Team

softworkz   3337

Posted
Posted
14 minutes ago, rbjtech said:

I purposely remove remote access for my only Admin user - would this apply to an API key remote request (which effectively acts as an Admin user ?)

No, this is separate.

16 minutes ago, rbjtech said:

I reject swagger on the Reverse Proxy

How do you "reject swagger"?

  • Thanks 1
Link to comment
Share on other sites
rbjtech

rbjtech   4274

Posted
Posted
3 minutes ago, softworkz said:

How do you "reject swagger"?

I just return 404 in the nginx config. 

        location ^~/swagger {
                return 404;
        }

 

Link to comment
Share on other sites
softworkz Emby Team

softworkz   3337

Posted
Posted

You would need

  • /openapi
  • /openapi.json
  • /swagger
  • /swagger.json
  • /emby/openapi
  • /emby/openapi.json
  • /emby/swagger
  • /emby/swagger.json

But that's kind of pointless, because none of those URLs is needed to access your server via API and neither does it prevent your server from being recognized as Emby server.

  • Agree 1
Link to comment
Share on other sites
rbjtech

rbjtech   4274

Posted
Posted
1 minute ago, softworkz said:

You would need

  • /openapi
  • /openapi.json
  • /swagger
  • /swagger.json
  • /emby/openapi
  • /emby/openapi.json
  • /emby/swagger
  • /emby/swagger.json

But that's kind of pointless, because none of those URLs is needed to access your server via API and neither does it prevent your server from being recognized as Emby server.

Exactly - which is why I asked the question ;) - can it just be blocked on the Emby Server itself - blocking API for remote use should be a configurable item imo.  

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...