| 124 | var swaggerRequestInterceptor string |
| 125 | |
| 126 | func init() { |
| 127 | globalHTTPSwaggerHandler = httpSwagger.Handler( |
| 128 | httpSwagger.URL("/swagger/doc.json"), |
| 129 | // The swagger UI has an "Authorize" button that will input the |
| 130 | // credentials into the Coder-Session-Token header. This bypasses |
| 131 | // CSRF checks **if** there is no cookie auth also present. |
| 132 | // (If the cookie matches, then it's ok too) |
| 133 | // |
| 134 | // Because swagger is hosted on the same domain, we have the cookie |
| 135 | // auth and the header auth competing. This can cause CSRF errors, |
| 136 | // and can be confusing what authentication is being used. |
| 137 | // |
| 138 | // So remove authenticating via a cookie, and rely on the authorization |
| 139 | // header passed in. |
| 140 | httpSwagger.UIConfig(map[string]string{ |
| 141 | // The interceptor source lives in swagger_request_interceptor.js so |
| 142 | // it can be edited as real JavaScript. |
| 143 | // See https://swagger.io/docs/open-source-tools/swagger-ui/usage/configuration/. |
| 144 | "requestInterceptor": swaggerRequestInterceptor, |
| 145 | "withCredentials": "false", |
| 146 | })) |
| 147 | } |
| 148 | |
| 149 | var expDERPOnce = sync.Once{} |
| 150 | |