Where are the credentials stored in the front-end of a Swagger UI doc page?

Question

I've been making some endpoints that all just have basic auth. The auto-generated Swagger UI looks nice, and users can use it in their browser by entering their credentials after clicking the green "Authorize" button.

Where and how are these credentials stored on the front-end?

Answer 1

By default, these credentials are stored in the browser memory and are discarded when the Swagger UI page is refreshed or closed.

If Swagger UI is configured with persistAuthorization: true, the currently active credentials are saved in the authorized key in the browser's local storage. The saved credentials will be pre-applied after refreshing or reopening the Swagger UI page. Clicking "Logout" in the Authorize dialog deletes the corresponding credentials from the local storage.

Note that when using incognito / private browsing, the local storage of private tabs is cleared when the last private tab is closed.

The boss is asking whether or not this is secure. I think in other S.O. posts it recommends that storing secrets in the browser's local cache shouldn't be done. Do you know if the secret is at least hashed? I was trying to look in the source code for my answers but not having much luck.

If you mean persistAuthorization: true, I personally wouldn't use it in production. To me, this config looks more like a thing for dev/test environments.

I don't know how (in)secure the local storage is compared e.g. to cookies or the browser's "Save Password" feature. If you find useful resources, leave a comment.

Swagger UI's auth-related code is here and here. The persistAuthorization config was added in this PR.

The saved credentials are not hashed or encoded, probably because 1) Swagger UI code runs only on the client side and client-side encoding/decoding of secrets doesn't make much sense; 2) it needs the original (unmodified) credentials for "try it out" requests.