Fix: Access to Swagger UI when login enabled (#5194)

Fixes for /swagger-ui/index.html & /v1/api-docs endpoints not being accessible when login was enabled. - `UserAuthenticationFilter.isPublicAuthEndpoint()` had gaps in its check, missing `/v1/api-docs` - Refactored `UserAuthenticationFilter` to use `RequestUriUtils.isPublicAuthEndpoint()` instead of its own incorrect method Closes #5125 & #5028 --- ### Testing (if applicable) - [x] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details.
2026-01-14 20:11:17 +01:00 · 2025-12-10 11:39:29 +00:00 · 2025-12-10 11:39:29 +00:00 · 7b26b184d1
commit 7b26b184d1
parent f17ad56def
5 changed files with 16 additions and 41 deletions
--- a/app/common/src/main/java/stirling/software/common/util/RequestUriUtils.java
+++ b/app/common/src/main/java/stirling/software/common/util/RequestUriUtils.java
@ -162,10 +162,9 @@ public class RequestUriUtils {
                // enableLogin)
                || trimmedUri.startsWith(
                        "/api/v1/ui-data/footer-info") // Public footer configuration
-                || trimmedUri.startsWith("/v1/api-docs")
                || trimmedUri.startsWith("/api/v1/invite/validate")
                || trimmedUri.startsWith("/api/v1/invite/accept")
-                || trimmedUri.contains("/v1/api-docs");
+                || trimmedUri.startsWith("/v1/api-docs");
    }

    private static String stripContextPath(String contextPath, String requestURI) {
--- a/app/core/src/main/java/stirling/software/SPDF/config/OpenApiConfig.java
+++ b/app/core/src/main/java/stirling/software/SPDF/config/OpenApiConfig.java
@ -62,10 +62,14 @@ public class OpenApiConfig {

        // Add server configuration from environment variable
        String swaggerServerUrl = System.getenv("SWAGGER_SERVER_URL");
+        Server server;
        if (swaggerServerUrl != null && !swaggerServerUrl.trim().isEmpty()) {
-            Server server = new Server().url(swaggerServerUrl).description("API Server");
-            openAPI.addServersItem(server);
+            server = new Server().url(swaggerServerUrl).description("API Server");
+        } else {
+            // Use relative path so Swagger uses the current browser origin to avoid CORS issues when accessing via different ports
+            server = new Server().url("/").description("Current Server");
        }
+        openAPI.addServersItem(server);

        // Add ErrorResponse schema to components
        Schema<?> errorResponseSchema =
--- a/app/proprietary/src/main/java/stirling/software/proprietary/security/filter/JwtAuthenticationFilter.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/filter/JwtAuthenticationFilter.java
@ -26,6 +26,7 @@ import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;

+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;

 import stirling.software.common.model.ApplicationProperties;
@ -39,6 +40,7 @@ import stirling.software.proprietary.security.service.JwtServiceInterface;
 import stirling.software.proprietary.security.service.UserService;

@Slf4j
+@RequiredArgsConstructor
 public class JwtAuthenticationFilter extends OncePerRequestFilter {

    private final JwtServiceInterface jwtService;
@ -47,19 +49,6 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
    private final AuthenticationEntryPoint authenticationEntryPoint;
    private final ApplicationProperties.Security securityProperties;

-    public JwtAuthenticationFilter(
-            JwtServiceInterface jwtService,
-            UserService userService,
-            CustomUserDetailsService userDetailsService,
-            AuthenticationEntryPoint authenticationEntryPoint,
-            ApplicationProperties.Security securityProperties) {
-        this.jwtService = jwtService;
-        this.userService = userService;
-        this.userDetailsService = userDetailsService;
-        this.authenticationEntryPoint = authenticationEntryPoint;
-        this.securityProperties = securityProperties;
-    }
-
    @Override
    protected void doFilterInternal(
            HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
@ -68,7 +57,11 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
            filterChain.doFilter(request, response);
            return;
        }
-        if (isStaticResource(request.getContextPath(), request.getRequestURI())) {
+
+        String requestURI = request.getRequestURI();
+        String contextPath = request.getContextPath();
+
+        if (isStaticResource(contextPath, requestURI)) {
            filterChain.doFilter(request, response);
            return;
        }
@ -77,10 +70,7 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
            String jwtToken = jwtService.extractToken(request);

            if (jwtToken == null) {
-                // Allow specific auth endpoints to pass through without JWT
-                String requestURI = request.getRequestURI();
-                String contextPath = request.getContextPath();
-
+                // Allow auth endpoints to pass through without JWT
                if (!isPublicAuthEndpoint(requestURI, contextPath)) {
                    // For API requests, return 401 JSON
                    String acceptHeader = request.getHeader("Accept");
--- a/app/proprietary/src/main/java/stirling/software/proprietary/security/filter/UserAuthenticationFilter.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/filter/UserAuthenticationFilter.java
@ -241,24 +241,6 @@ public class UserAuthenticationFilter extends OncePerRequestFilter {
        filterChain.doFilter(request, response);
    }

-    private static boolean isPublicAuthEndpoint(String requestURI, String contextPath) {
-        // Remove context path from URI to normalize path matching
-        String trimmedUri =
-                requestURI.startsWith(contextPath)
-                        ? requestURI.substring(contextPath.length())
-                        : requestURI;
-
-        // Public auth endpoints that don't require authentication
-        return trimmedUri.startsWith("/login")
-                || trimmedUri.startsWith("/auth/")
-                || trimmedUri.startsWith("/oauth2")
-                || trimmedUri.startsWith("/saml2")
-                || trimmedUri.startsWith("/api/v1/auth/login")
-                || trimmedUri.startsWith("/api/v1/auth/refresh")
-                || trimmedUri.startsWith("/api/v1/auth/logout")
-                || trimmedUri.startsWith("/api/v1/proprietary/ui-data/login");
-    }
-
    private enum UserLoginType {
        USERDETAILS("UserDetails"),
        OAUTH2USER("OAuth2User"),
--- a/frontend/src/core/constants/links.ts
+++ b/frontend/src/core/constants/links.ts
@ -1 +1 @@
-export const devApiLink = "https://registry.scalar.com/@stirlingpdf/apis/stirling-pdf-processing-api/";
+export const devApiLink = "/swagger-ui/index.html";