docs: open api docs utoipa #2023
Conversation
taddes
force-pushed
the
docs/open-api-docs-utoipa-STOR-381
branch
from
4d40a9b to
98b3ece
Compare
| cargo run --example generate_openapi_spec > openapi.json | ||
| ``` | ||
|
|
||
| ### Viewing the Spec Locally (Without Running the Server) |
There was a problem hiding this comment.
What do you think of the idea of creating a make target that can generate and preview the swagger docs?
There was a problem hiding this comment.
Great idea, I'll add that 👍
| [workspace.package] | ||
| version = "0.21.1" | ||
| authors = [ | ||
| "Ben Bangert <ben@groovie.org>", |
There was a problem hiding this comment.
I know, I too am sad Ben left Mozilla... His was the first name that came up so I updated it to Phil. What we really need is a mail group for the sync/storage team. I can put it back for posterity if you feel strongly.
There was a problem hiding this comment.
I don't put too much importance in these author fields but if anything I'd rather add more to them than remove.
However we apparently have a sync-backend@mozilla.com that you made in 2024, so we could make that the sole authors if you want (and add Barry to this mailing list).
There was a problem hiding this comment.
Thx, moved us to that and added Barry!
| summary = "Get collection timestamps", | ||
| description = "Returns an object mapping collection names associated with the account to the last-modified time for each collection.", | ||
| params( | ||
| ("uid" = String, Path, description = "User ID") |
There was a problem hiding this comment.
Should we explain how the user can get this uid value? Presumably we want people to interact with the endpoints.
There was a problem hiding this comment.
Folks would have to probably use the about:sync extension to get their uid
|
|
||
| #[utoipa::path( | ||
| get, | ||
| path = "/1.0/{application}/{version}", |
There was a problem hiding this comment.
I think application and version should be params below?
| (status = 401, description = "Unauthorized - Invalid authentication"), | ||
| (status = 503, description = "Service unavailable - No nodes available"), | ||
| ) | ||
| )] |
There was a problem hiding this comment.
There is nothing here about authorization. And the UI doesn't offer a way to pass anything in through headers.
There was a problem hiding this comment.
Yeah, I'll have to dig a little deeper on how to deal with this for the configuration for the live preview mode.
There was a problem hiding this comment.
I'd be fine merging this pretty much as is, we can log a separate issue for supporting Auth headers
There was a problem hiding this comment.
Sounds good @pjenvey , can file an additional ticket as I explore that a bit and we see how it looks when deployed.
| (status = 200, description = "Collection timestamps retrieved successfully", content_type = "application/json"), | ||
| (status = 401, description = "Unauthorized"), | ||
| ) | ||
| )] |
There was a problem hiding this comment.
There is no way to authorize these syncserver requests. The only param I can enter on the UI is the uid but that isn't enough.
| summary = "Get sync token", | ||
| description = "Allocates a sync storage node and returns authentication credentials for accessing it. This is the main Tokenserver endpoint used by Firefox Sync clients.", | ||
| responses( | ||
| (status = 200, description = "Token generated successfully", body = TokenserverResult, content_type = "application/json"), |
There was a problem hiding this comment.
Without making a successful request, readers wouldn't know the shape of TokenserverResult. It would be nice if there's a response schema.
There was a problem hiding this comment.
With the 200 response, there is actually a TokenserverResult that can be seen, whether the request is successful or not. Really glad you mentioned this though, because I hadn't added the Tokenserver stage & prod references to the Api doc config and also made sure to add to the documentation.
| ("uid" = String, Path, description = "User ID"), | ||
| ("collection" = String, Path, description = "Collection name"), | ||
| ("ids" = Option<String>, Query, description = "Comma-separated list of BSO IDs to return (max 100)"), | ||
| ("newer" = Option<f64>, Query, description = "Return only items with modified time strictly greater than this timestamp"), |
There was a problem hiding this comment.
Might be good to mention the resolution of the timestamps.
taddes
force-pushed
the
docs/open-api-docs-utoipa-STOR-381
branch
from
f925335 to
91adafd
Compare
| description = "OpenAPI documentation for Syncstorage and Tokenserver endpoints." | ||
| ), | ||
| servers( | ||
| (url = "https://sync-1-us-west1-g.sync.services.mozilla.com", description = "US West Production"), |
There was a problem hiding this comment.
| (url = "https://sync-1-us-west1-g.sync.services.mozilla.com", description = "US West Production"), | |
| (url = "https://sync-us-west1-g.sync.services.allizom.org", description = "US West Stage"), | |
| (url = "https://sync-1-us-west1-g.sync.services.mozilla.com", description = "US West Production"), |
(if anyone wants to play around with test traffic, maybe encourage stage)
There was a problem hiding this comment.
Good call with stage, can add a suggestion in docs.
| ``` | ||
| Then open http://localhost:8080 | ||
|
|
||
| 2. **Generate the spec on a compatible machine** (or use CI): |
There was a problem hiding this comment.
This seems a little confusing with 1) mentioning this command but really 1/3/4 all need it (should 2 be removed and 1)'s mention of the command moved ahead of all these sections?)
There was a problem hiding this comment.
Sure, that makes sense.
taddes
force-pushed
the
docs/open-api-docs-utoipa-STOR-381
branch
from
4e53172 to
ed6d5f9
Compare
|
Note: once we finally cut a new release with this feature, we may go back and make some adjustments to the URL we point to and see if the generated swagger docs (which eventually end up as part of the compiled and deployed Syncstorage) are more feature-rich than the current state. |
| OPENAPI_FILE := openapi.json | ||
|
|
||
| .PHONY: api-prev | ||
| api-prev: ## Generate live preview of OpenAPI Swagger Docs and open in browser (port 8080). |
There was a problem hiding this comment.
I tried this and the server stops as soon as it's started.
There was a problem hiding this comment.
Is your Docker daemon/Docker desktop running? Works fine for me.
There was a problem hiding this comment.
docker container ls showed the expected output so it appears to be running.
|
Thanks @taddes for this work. I think I need to understand the goal of this effort better. If it is to allow people to interact with the API endpoints, then it is not quite there. The UI for the very first step of exchanging an FxA OAuth access token for a Sync auth token does not have a way for the user to input the access token. (Presuming the user know how to grab an FxA access token that's authorized to access Sync.) If we only want to list the API endpoints, then let's remove the interactivity. We still should list the header(s) for the endpoints, however. |
This was a very old ticket to basically just add the OpenAPI support. There isn't an explicit necessary goal of it being interactive, though that's a nice plus. I had mentioned before that the auth parts of this may make it tricky, and we're not going to know more until we actually cut a new version of Sync with this feature that exposes the API as part of the compiled Sync. We can file an additional ticket to expand that as needed. It might in the end be a bridge too far to have it fully interactive. However, the endpoints still have response codes and the shapes of some of the returned data. |
taddes
force-pushed
the
docs/open-api-docs-utoipa-STOR-381
branch
from
bdafc7e to
ac9e11f
Compare
| validator = "0.20" | ||
| validator_derive = "0.20" | ||
| woothee = "0.13" | ||
| utoipa = "5.4.0" |
There was a problem hiding this comment.
let's move this into the root Cargo.toml w/ tokenserver-common also using it
| (status = 401, description = "Unauthorized - Invalid authentication"), | ||
| (status = 503, description = "Service unavailable - No nodes available"), | ||
| ) | ||
| )] |
There was a problem hiding this comment.
I'd be fine merging this pretty much as is, we can log a separate issue for supporting Auth headers
taddes
force-pushed
the
docs/open-api-docs-utoipa-STOR-381
branch
from
ac9e11f to
ff7837f
Compare
taddes
force-pushed
the
docs/open-api-docs-utoipa-STOR-381
branch
from
ff7837f to
5045c96
Compare
|
Also resolves cargo-audit CVE related to time create: |
3 participants
Description
OpenAPI docs would be useful to collect and publish to clarify our API.
The utopia crate w/ the actix_extras feature can parse our actix-web route definitions to produce OpenAPI docs, and its accompanying utoipa-swagger-ui crate can serve those docs via actix-web.
This PR imports utoipa and swagger to support the OpenAPI spec and annotates the web handlers for tokenserver and sync to introduce the API documentation. This requires special proc macros that are recognized by
OpenAPIFor consistency and simplicity, I have added to the github actions to generate and publish the swagger docs as well. The documentation page also lays out ways to see the documentation locally using Docker and a few other methods. Just follow the instructions to test for yourself. There is also an example script that generates the openapi.json file that is required first.
Also resolves
cargo-auditCVE related totimecreateIssue(s)
Closes STOR-381.