feat(cert): open Swagger in dev, protect in prod

soohyunme · soohyunme · commit 5bec659077a1 · 2026-01-09T14:39:48.000Z
diff --git a/getcloser/.env.example b/getcloser/.env.example
@@ -12,3 +12,7 @@ DB_DATABASE=app_db
 APP_HOST=localhost
 TEAM_SIZE=1
 PENDING_TIMEOUT_MINUTES=1
+
+# Swagger Credentials
+SWAGGER_USER=your_swagger_username
+SWAGGER_PASSWORD=your_swagger_password
diff --git a/getcloser/backend/app/main.py b/getcloser/backend/app/main.py
@@ -1,7 +1,12 @@
-from fastapi import FastAPI
+from fastapi import Depends, FastAPI, HTTPException, status
 from fastapi.middleware.cors import CORSMiddleware
+from fastapi.openapi.docs import get_redoc_html, get_swagger_ui_html
+from fastapi.openapi.utils import get_openapi
+from fastapi.responses import JSONResponse
+from fastapi.security import HTTPBasic, HTTPBasicCredentials
 from dotenv import load_dotenv
 import os
+import secrets
 
 from core.database import engine, Base
 from routers import test_db, admin
@@ -17,12 +22,14 @@
 Base.metadata.create_all(bind=engine)
 
 # FastAPI 앱 생성
+is_dev = os.getenv("ENV") == "development"
 app = FastAPI(
     title="Devfactory 친해지길바라",
     description="Devfactory 친해지길바라 API 서버",
     version="1.0.0",
-    docs_url="/docs",
-    redoc_url="/redoc",
+    docs_url="/docs" if is_dev else None,
+    redoc_url="/redoc" if is_dev else None,
+    openapi_url="/openapi.json" if is_dev else None,
 )
 
 
@@ -41,6 +48,58 @@
 app.include_router(test_db.test_router, prefix="/api/v1")
 app.include_router(admin.admin_router, prefix="/api/v1")
 
+security = HTTPBasic(auto_error=False)
+
+def verify_docs_credentials(credentials: HTTPBasicCredentials | None = Depends(security)) -> None:
+    if is_dev:
+        return
+
+    expected_user = os.getenv("SWAGGER_USER")
+    expected_password = os.getenv("SWAGGER_PASSWORD")
+
+    # If credentials aren't configured, keep docs closed by default.
+    if not expected_user or not expected_password:
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail="Swagger credentials are not configured.",
+        )
+
+    if credentials is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Missing credentials",
+            headers={"WWW-Authenticate": "Basic"},
+        )
+
+    is_user_ok = secrets.compare_digest(credentials.username, expected_user)
+    is_password_ok = secrets.compare_digest(credentials.password, expected_password)
+    if not (is_user_ok and is_password_ok):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid credentials",
+            headers={"WWW-Authenticate": "Basic"},
+        )
+
+if not is_dev:
+    @app.get("/docs", include_in_schema=False)
+    def get_swagger_docs(_: None = Depends(verify_docs_credentials)):
+        return get_swagger_ui_html(openapi_url="/openapi.json", title="API Docs")
+
+    @app.get("/redoc", include_in_schema=False)
+    def get_redoc_docs(_: None = Depends(verify_docs_credentials)):
+        return get_redoc_html(openapi_url="/openapi.json", title="API Docs")
+
+    @app.get("/openapi.json", include_in_schema=False)
+    def openapi_json(_: None = Depends(verify_docs_credentials)):
+        return JSONResponse(
+            get_openapi(
+                title=app.title,
+                version=app.version,
+                description=app.description,
+                routes=app.routes,
+            )
+        )
+
 
 @app.get("/")
 async def read_root():
