Swagger-Basic-Authentication-Logout

Clear the basic authentication certificate record by browser on Swagger

✨ Feature

This extension provide a Logout button for Swagger API page. With almost all the browsers save basic authentication certificate automatically, it is hard to "logout" the website using basic authentication and also makes developers hard to debug multi-user APIs.

⚙️ Install

• Install on Chrome Web Store

• Install the offline package on Chrome

  • Download the Swagger-Basic-Authentication-Logout.crx from the Release Page
  • Rename the file to Swagger-Basic-Authentication-Logout.zip and unzip it.
  • Move unziped folder to a "safe" place and make sure it will be never moved again
  • Type chrome://extensions/ on chrome address bar
  • Turn on "Developer mode"
  • Select "Load Unpacked" and point it to the extension folder

• Support of Firefox is on road...

🛠️ Useage

• After installing the extension, once you open a Swagger API page the extension will automatically work with the badge of icon turns "ON"

• When any request is responsed with code not 401, There will appear a "Logout" button. Click it you can logout.

  It also means that, requests, no matter whether it is using basic authentication will be appened a button. Logout a request without basic authentication will get error.

• Sometimes when you click logout, the browser will popup a menu and ask you enter the username and password. Just cancel it! This is caused by the server setted a WWW-Authenticate header on the response. A good way to circumvent this annoying problem is to not return the WWW-Authenticate header for requests with wrong username and password in debugging mode.

• If you do not like the extension, there is also a JavaScript code in /script can also release the feature: when the page has loaded, copy the code in /script/index.js, press F12, switch to the Console tab, paste the code and press Enter to run the code.

🤔 How it work

In fact, we can not actually logout base on basic authentication, There are 2 ways to "logout"

1. Clear the data of website in browser

   The basic authentication certificate is not stored in Cookie or LocalStorage, it is saved by the browser. Using following ways, you can clean the certificate

   • For Chrome: type chrome://settings/clearBrowserData on address bar (or Ctrl+Shift+Del), select Advanced > Cookie and other website data > clean

   • For Firefox: type about:preferences#privacy on address bar, select clean data Cookie and other website data > clean

2. Login with a wrong user

   Once the browser save the certificate, we can relogin and overwrite the certificate. If we login with wrong username and password, we can clear the certificate. The most easy way to clean the certificate of http://example.com is visit http://wrong:[email protected]. It is also the method the extension used.

🧑‍💻 Develop

• Set up

  pnpm install

• Build

  pnpm run build

• Build in watch mode in terminal

  pnpm run watch

• Build in watch mode in Visual Studio Code: type Ctrl + Shift + B

Update

Recently we found an untested "official" method for vintage browsers (IE6+):

document.execCommand("ClearAuthenticationCache", "false")

This is not an official method, nor does it work for Chrome browsers. (After all, this HTTP Basic Auth method is as old as IE, it should be buried in the grave)

🥰 Reference

• The template of Chrome extension comes from chibat/chrome-extension-typescript-starter
• stackoverflow - How to clear basic authentication details in chrome
• stackoverflow - How to log out user from web site using BASIC authentication?