feat(swagger): opt-in publicInProd to serve /api/spec.json in deployed envs#3879
Conversation
…d envs Secure-by-default stays: the unauthenticated /api/spec.json is skipped in production-grade envs. Consumers with intentionally-public API docs can now opt in via config.swagger.publicInProd === true (defaults false). enable must still be truthy — the opt-in narrows the gate, never widens it. Redoc stays decommissioned; /api/docs is not re-introduced.
|
Warning Review limit reached
More reviews will be available in 59 minutes and 55 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Adds a secure-by-default opt-in (config.swagger.publicInProd === true) to allow serving the unauthenticated OpenAPI JSON spec (/api/spec.json) in production-grade (deployed) environments for consumers that intentionally publish public API docs.
Changes:
- Updates
initApiSpecenv gate to allow/api/spec.jsonin prod only when explicitly opted in viaconfig.swagger.publicInProd === true. - Adds a unit test covering the production-grade + opt-in path, including asserting the merged spec is still served.
- Introduces
swagger.publicInProd: falsein the default development config to document/establish the new knob as off by default.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| lib/services/express.js | Extends the docs env gate to support an explicit prod opt-in for serving /api/spec.json. |
| lib/services/tests/express.docsEnvGate.unit.tests.js | Adds coverage ensuring the spec mounts in prod only when publicInProd === true and Redoc remains disabled. |
| config/defaults/development.config.js | Defines swagger.publicInProd with a default of false (secure-by-default). |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3879 +/- ##
=======================================
Coverage 92.67% 92.67%
=======================================
Files 169 169
Lines 5529 5529
Branches 1775 1776 +1
=======================================
Hits 5124 5124
Misses 325 325
Partials 80 80
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report in Codecov by Harness.
🚀 New features to boost your workflow:
|
Adds a generic, secure-by-default opt-in so a consumer with intentionally-public API docs can serve the unauthenticated
/api/spec.jsonin production-grade (deployed) envs.The spec gate was
config.swagger.enable && !isProd()→ spec served only in dev-grade (local), skipped in any deployed env. That breaks the in-app OpenAPI reference for a public-docs consumer. New gate:config.swagger.publicInProddefaults false (secure-by-default preserved — opt-in narrows nothing for projects that don't want public docs).isProd()true +publicInProd:true→ spec served (merged guides intact); Redoc stays decommissioned.Lint + express/docs-env-gate + public-docs tests green.