How does one get a protected spec in Swagger UI?

[dnk8n]

Environment

Below is how my docker-compose is configured:

postgrest:
    depends_on:
      postgres:
        condition: service_started
    environment:
      PGRST_DB_ANON_ROLE: web_anon
      PGRST_DB_PRE_REQUEST: auth.check_token
      PGRST_DB_SCHEMA: public
      PGRST_DB_URI: postgres://authenticator:authenticator@postgres:5432/example
      PGRST_JWT_SECRET: ***
      PGRST_OPENAPI_SECURITY_ACTIVE: "true"
      PGRST_OPENAPI_SERVER_PROXY_URI: http://localhost:3000
    image: postgrest/postgrest:v10.1.2
    networks:
      example_net: {}
    ports:
    - target: 3000
      published: "3000"
    restart: unless-stopped
  swagger:
    depends_on:
      postgrest:
        condition: service_started
    environment:
      URLS: '[ { url: "http://localhost:3000", name: "EXAMPLE" } ]'
    image: swaggerapi/swagger-ui:v4.18.1
    networks:
      example_net: {}
    ports:
    - target: 8080
      published: "8080"

Description of issue

I have the authorization button configured, and it works how I want it to for the only available public endpoint (the spec itself). When executed with the authorization header set, it returns json with the full protected spec.

But I don't see a way to get that spec loaded so that the protected endpoints are displayed. What is the standard way of achieving this?

I guess this not necessarily a PostgREST issue, however it appears everyone expects updated 3.1 version of OpenAPI spec, which postgrest doesn't support. Is this use case expected to be covered by PostREST feature, https://postgrest.org/en/stable/releases/v10.0.0.html#openapi ?

[dnk8n]

For now I just use PGRST_OPENAPI_MODE: "ignore-privileges" as a workaround until I work out to set the headers.

Preferably, the client could set the headers and get the definition relevant to them (appropriate experience with no redundant endpoints)

But alternatively, I could preset the URLS/headers on the server (docker-compose) each rendered under their own definition so it is up to the user to select the correct definition for their role.

[wolfgangwalther]

What I do in one of my projects in this case: I add an already-authorized api endpoint via nginx reverse proxy (just in the development environment, ofc). Something like:

  location /apiwithtoken/ {
    proxy_pass http://postgrest/;
    proxy_http_version 1.1;
    proxy_set_header Authorization "Bearer <hand-crafted-token-without-expiry>";
  }