2015-09-16 20:38:09 +00:00
# loopback-component-explorer
2013-11-05 17:59:05 +00:00
2018-10-16 11:06:11 +00:00
**This module is in Active LTS mode, new features are no longer accepted.**
< br /> (See [Module Long Term Support Policy ](#module-long-term-support-policy )
below.)
2013-11-05 19:24:48 +00:00
2018-10-16 11:06:11 +00:00
LoopBack 3 users looking for new features are encouraged to upgrade
to LoopBack 4. Refer to
[loopback-next#1849 ](https://github.com/strongloop/loopback-next/issues/1849 )
for more information on how to upgrade.
2016-12-20 23:49:26 +00:00
2018-10-16 11:06:11 +00:00
## Overview
2016-12-20 23:49:26 +00:00
2018-10-16 11:06:11 +00:00
Browse and test your LoopBack app's APIs.
2016-12-20 23:49:26 +00:00
2013-11-05 19:24:48 +00:00
## Basic Usage
Below is a simple LoopBack application. The explorer is mounted at `/explorer` .
```js
var loopback = require('loopback');
var app = loopback();
2014-07-04 19:28:47 +00:00
var explorer = require('../');
var port = 3000;
2013-11-05 19:24:48 +00:00
var Product = loopback.Model.extend('product');
Product.attachTo(loopback.memory());
app.model(Product);
2014-07-09 22:38:05 +00:00
app.use('/api', loopback.rest());
2015-07-01 16:09:38 +00:00
// Register explorer using component-centric API:
explorer(app, { basePath: '/api', mountPath: '/explorer' });
// Alternatively, register as a middleware:
app.use('/explorer', explorer.routes(app, { basePath: '/api' }));
2014-07-04 19:28:47 +00:00
console.log("Explorer mounted at localhost:" + port + "/explorer");
2013-11-05 19:24:48 +00:00
2014-07-04 19:28:47 +00:00
app.listen(port);
2013-11-05 19:24:48 +00:00
```
2014-07-04 19:28:47 +00:00
2019-11-14 14:34:25 +00:00
## A note on swagger-ui vulnerabilities
API Explorer for LoopBack 3 is built on top of `swagger-ui` version 2.x which is no longer maintained. While there are known security vulnerabilities in `swagger-ui` , we believe they don't affect LoopBack users.
We would love to upgrade our (LB3) API Explorer to v3 of swagger-ui, but unfortunately such upgrade requires too much effort and more importantly addition of new features to LB3 runtime, which would break our LTS guarantees. For more details, see discussion in [loopback-component-explorer#263 ](https://github.com/strongloop/loopback-component-explorer/issues/263 ).
https://www.npmjs.com/advisories/985
> Versions of swagger-ui prior to 3.0.13 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize YAML files imported from URLs or copied-pasted. This may allow attackers to execute arbitrary JavaScript.
LoopBack's API Explorer does not allow clients to import swagger spec from YAML URL/pasted-content. That means loopback-component-explorer **IS NOT AFFECTED** by this vulnerability.
https://www.npmjs.com/advisories/975
> Versions of swagger-ui prior to 3.18.0 are vulnerable to Reverse Tabnapping. The package uses `target='_blank'` in anchor tags, allowing attackers to access `window.opener` for the original page. This is commonly used for phishing attacks.
This vulnerability affects anchor tags created from metadata provided by the Swagger spec, for example `info.termsOfServiceUrl` . LoopBack's API Explorer does not allow clients to provide custom swagger spec, URLs like `info.termsOfServiceUrl` are fully in control of the LoopBack application developer. That means loopback-component-explorer **IS NOT AFFECTED** by this vulnerability.
https://www.npmjs.com/advisories/976
> Versions of swagger-ui prior to 3.20.9 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript.
LoopBack 3 API Explorer does not support OAuth auth flow, that means loopback-component-explorer **IS NOT AFFECTED** by this vulnerability.
2015-07-01 16:09:38 +00:00
## Upgrading from v1.x
To upgrade your application using loopback-explorer version 1.x, just replace
`explorer()` with `explorer.routes()` in your server script:
```js
2015-09-16 20:38:09 +00:00
var explorer = require('loopback-component-explorer'); // Module was loopback-explorer in v. 2.0.1 and earlier
2015-07-01 16:09:38 +00:00
// v1.x - does not work anymore
2019-03-12 05:55:32 +00:00
app.use('/explorer', explorer(app, options));
2015-07-01 16:09:38 +00:00
// v2.x
app.use('/explorer', explorer.routes(app, options));
```
2017-02-02 01:36:01 +00:00
In applications scaffolded by `lb app` , the idiomatic way is to register
2015-09-16 20:38:09 +00:00
loopback-component-explorer in `server/component-config.json` :
2015-07-01 16:09:38 +00:00
```json
{
2015-09-16 20:38:09 +00:00
"loopback-component-explorer": {
2015-07-01 16:09:38 +00:00
"mountPath": "/explorer"
}
}
```
2014-07-09 22:38:05 +00:00
## Advanced Usage
2014-10-22 08:55:25 +00:00
Many aspects of the explorer are configurable.
2014-07-09 22:38:05 +00:00
See [options ](#options ) for a description of these options:
```js
2014-07-10 19:16:10 +00:00
// Mount middleware before calling `explorer()` to add custom headers, auth, etc.
app.use('/explorer', loopback.basicAuth('user', 'password'));
2015-07-01 16:09:38 +00:00
explorer(app, {
2014-07-09 22:38:05 +00:00
basePath: '/custom-api-root',
2014-10-22 08:55:25 +00:00
uiDirs: [
path.resolve(__dirname, 'public'),
path.resolve(__dirname, 'node_modules', 'swagger-ui')
]
2014-07-09 22:38:05 +00:00
apiInfo: {
'title': 'My API',
'description': 'Explorer example app.'
},
2015-09-30 18:34:24 +00:00
resourcePath: 'swagger.json',
2014-07-09 22:38:05 +00:00
version: '0.1-unreleasable'
}));
app.use('/custom-api-root', loopback.rest());
```
2017-02-02 01:36:01 +00:00
In applications scaffolded by `lb app` , you can edit the `server/component-config.json` :
2016-10-23 08:53:43 +00:00
```json
{
"loopback-component-explorer": {
"mountPath": "/explorer",
"apiInfo": {
"title": "My App",
"description": "Description of my app APIs.",
"termsOfServiceUrl": "http://api.mycompany.io/terms/",
"contact": "apiteam@mycompany.io",
"license": "Apache 2.0",
"licenseUrl": "http://www.apache.org/licenses/LICENSE-2.0.html"
}
}
}
```
2014-07-09 22:38:05 +00:00
2014-07-04 19:28:47 +00:00
## Options
Options are passed to `explorer(app, options)` .
`basePath` : **String**
2014-07-09 22:38:05 +00:00
> Default: `app.get('restAPIRoot')` or `'/api'`.
> Sets the API's base path. This must be set if you are mounting your api
> to a path different than '/api', e.g. with
> `loopback.use('/custom-api-root', loopback.rest());
2015-07-01 16:09:38 +00:00
`mountPath` : **String**
> Default: `/explorer`
> Set the path where to mount the explorer component.
2014-07-26 15:53:08 +00:00
`protocol` : **String**
> Default: `null`
> A hard override for the outgoing protocol (`http` or `https`) that is designated in Swagger
2015-09-16 20:38:09 +00:00
> resource documents. By default, `loopback-component-explorer` will write the protocol that was used to retrieve
2014-07-26 15:53:08 +00:00
> the doc. This option is useful if, for instance, your API sits behind an SSL terminator
> and thus needs to report its endpoints as `https`, even though incoming traffic is auto-detected
> as `http`.
2014-10-22 08:55:25 +00:00
`uiDirs` : **Array of Strings**
2014-07-04 19:28:47 +00:00
2014-10-22 08:55:25 +00:00
> Sets a list of paths within your application for overriding Swagger UI files.
2014-07-04 19:28:47 +00:00
2014-10-22 08:55:25 +00:00
> If present, will search `uiDirs` first when attempting to load Swagger UI,
> allowing you to pick and choose overrides to the interface. Use this to
> style your explorer or add additional functionality.
2014-07-04 19:28:47 +00:00
> See [index.html](public/index.html), where you may want to begin your overrides.
> The rest of the UI is provided by [Swagger UI](https://github.com/wordnik/swagger-ui).
2014-07-09 22:38:05 +00:00
`apiInfo` : **Object**
2014-10-22 08:55:25 +00:00
> Additional information about your API. See the
2014-07-09 22:38:05 +00:00
> [spec](https://github.com/wordnik/swagger-spec/blob/master/versions/1.2.md#513-info-object).
`resourcePath` : **String**
> Default: `'resources'`
2014-10-22 08:55:25 +00:00
> Sets a different path for the
2014-07-09 22:38:05 +00:00
> [resource listing](https://github.com/wordnik/swagger-spec/blob/master/versions/1.2.md#51-resource-listing).
> You generally shouldn't have to change this.
`version` : **String**
> Default: Read from package.json
> Sets your API version. If not present, will read from your app's package.json.
2018-09-05 13:16:46 +00:00
`auth` : **Object**
> Optional config for setting api access token, can be used to rename the query parameter or set an auth header.
> The object has 2 keys:
> - `in`: either `header` or `query`
> - `name`: the name of the query parameter or header
>
> The default sets the token as a query parameter with the name `access_token`
> Example for setting the api key in a header named `x-api-key`:
> ```
> {
> "loopback-component-explorer": {
> "mountPath": "/explorer",
> "auth": {
> "in": "header",
> "name": "x-api-key"
> }
> }
> }
> ```
2018-10-16 11:06:11 +00:00
## Module Long Term Support Policy
This module adopts the [
Module Long Term Support (LTS)](http://github.com/CloudNativeJS/ModuleLTS) policy,
with the following End Of Life (EOL) dates:
| Version | Status | Published | EOL |
| ------- | --------------- | --------- | -------- |
2019-06-21 01:53:47 +00:00
| 6.x | Active LTS | Apr 2018 | Dec 2020 |
2018-10-16 11:06:11 +00:00
| 5.x | Maintenance LTS | Sep 2017 | Dec 2019 |
2019-05-03 14:28:36 +00:00
| 4.x | End-of-Life | Dec 2016 | Apr 2019 |
2018-10-16 11:06:11 +00:00
Learn more about our LTS plan in [docs ](https://loopback.io/doc/en/contrib/Long-term-support.html ).