So it turns out the application template is using the **wrong **method call - it should be in ConfigureSwaggerServices. If peolple out there are using the code as is from the Blazor Server Template then they have zero security - wide open.
`` services.AddAbpSwaggerGenWithOAuth(
configuration["AuthServer:Authority"],
new Dictionary<string, string>
{
{"xxx", "xAPI"}
},
options =>
{
options.SwaggerDoc("v1", new OpenApiInfo { Title = "xAPI", Version = "v1" });
options.DocInclusionPredicate((docName, description) => true);
options.CustomSchemaIds(type => type.FullName);
}
);`
`
NOT
`` services.AddAbpSwaggerGen(
options =>
{
options.SwaggerDoc("v1", new OpenApiInfo { Title = "EL API", Version = "v1" });
options.DocInclusionPredicate((docName, description) => true);
options.CustomSchemaIds(type => type.FullName);
}
);``
If you're creating a bug/problem report, please include followings:
I used the template of Blazor Server and got it up and running. I navigated to the swagger page b4 logging-in .no cookies in the browser as it was a private window. ERROR: no exception but I am very concerned that I was able to make calls on the api via the swagger page despite not been logged in.