• Home
  • -
  • Workaround: Working Swagger Docs for Store Api in Shopware 6

Workaround: Working Swagger Docs for Store Api in Shopware 6

We are currently in the process of extending the shopware store api in our own installations. To allow easy testing against the API we use prism as a mock API server, which is able to autogenerate the mock API from swagger files. To check the swagger files are actually ok and for quick looks at the API, we prefer using the HTML Swagger interface.

However, in Shopware 6 default installations, the Store API Swagger URL is not accessible because of errors like:

Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").
Content Security Policy: The page's settings blocked the loading of a resource at http://shopware.ddev.site/bundles/framework/swagger-ui-bundle.js ("script-src").
Content Security Policy: The page's settings blocked the loading of a resource at http://shopware.ddev.site/bundles/framework/swagger-ui-standalone-preset.js ("script-src").

As we did not find a direct and obvious solution we are now using the following workaround:

The content security policies of shopware are configured via dependency injection parameters depending on the current context. To modify them, we can overwrite the parameter in our own installation and adjust the settings. (Example below)

As the swagger API is the only callable HTML page where the CSP is relevant in store-api context afaics, we make it a little less secure (on our dev and test systems) by setting (in services.xml):

    <parameters>
        <parameter key="shopware.security.csp_templates" type="collection">
            <parameter key="default">
                object-src 'none';
                script-src 'none';
                base-uri 'self';
            </parameter>
            <parameter key="administration">
                object-src 'none';
                script-src 'strict-dynamic' 'nonce-%%nonce%%' 'unsafe-inline' 'unsafe-eval' https: http:;
                base-uri 'self';
            </parameter>
            <parameter key="storefront"/>
            <parameter key="store-api">
                object-src 'none';
                script-src 'unsafe-inline' 'unsafe-eval' https: http:;
                base-uri 'self';
            </parameter>
        </parameter>
    </parameters>

After reloading, our Swagger API is now loading:

Swagger Shopware Store API HTML