{"id":19874517,"url":"https://github.com/strongloop/loopback-component-explorer","last_synced_at":"2025-12-16T20:31:17.520Z","repository":{"id":11644293,"uuid":"14149371","full_name":"strongloop/loopback-component-explorer","owner":"strongloop","description":"Browse and test your LoopBack app's APIs","archived":false,"fork":false,"pushed_at":"2022-08-03T08:55:56.000Z","size":779,"stargazers_count":71,"open_issues_count":1,"forks_count":102,"subscribers_count":34,"default_branch":"master","last_synced_at":"2024-04-13T00:12:22.144Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/strongloop.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null}},"created_at":"2013-11-05T17:59:05.000Z","updated_at":"2022-03-03T01:01:37.000Z","dependencies_parsed_at":"2022-08-07T06:16:29.051Z","dependency_job_id":null,"html_url":"https://github.com/strongloop/loopback-component-explorer","commit_stats":null,"previous_names":["strongloop/loopback-explorer"],"tags_count":63,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strongloop%2Floopback-component-explorer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strongloop%2Floopback-component-explorer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strongloop%2Floopback-component-explorer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strongloop%2Floopback-component-explorer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/strongloop","download_url":"https://codeload.github.com/strongloop/loopback-component-explorer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247256112,"owners_count":20909240,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-12T16:23:50.320Z","updated_at":"2025-12-16T20:31:17.445Z","avatar_url":"https://github.com/strongloop.png","language":"JavaScript","funding_links":[],"categories":["JavaScript"],"sub_categories":[],"readme":"# loopback-component-explorer\n\n**⚠️ LoopBack 3 is in Maintenance LTS mode, only critical bugs and critical\nsecurity fixes will be provided. (See\n[Module Long Term Support Policy](#module-long-term-support-policy) below.)**\n\nWe urge all LoopBack 3 users to migrate their applications to LoopBack 4 as\nsoon as possible. Refer to our\n[Migration Guide](https://loopback.io/doc/en/lb4/migration-overview.html)\nfor more information on how to upgrade.\n\n\n## Overview\n\nBrowse and test your LoopBack app's APIs.\n\n## Basic Usage\n\nBelow is a simple LoopBack application. The explorer is mounted at `/explorer`.\n\n```js\nvar loopback = require('loopback');\nvar app = loopback();\nvar explorer = require('../');\nvar port = 3000;\n\nvar Product = loopback.Model.extend('product');\nProduct.attachTo(loopback.memory());\napp.model(Product);\n\napp.use('/api', loopback.rest());\n\n// Register explorer using component-centric API:\nexplorer(app, { basePath: '/api', mountPath: '/explorer' });\n// Alternatively, register as a middleware:\napp.use('/explorer', explorer.routes(app, { basePath: '/api' }));\n\nconsole.log(\"Explorer mounted at localhost:\" + port + \"/explorer\");\n\napp.listen(port);\n```\n\n## A note on swagger-ui vulnerabilities\n\nAPI Explorer for LoopBack 3 is built on top of `swagger-ui` version 2.x which\nis no longer maintained. While there are known security vulnerabilities in\n`swagger-ui`, we believe they don't affect LoopBack users.\n\nWe would love to upgrade our (LB3) API Explorer to v3 of swagger-ui, but\nunfortunately such upgrade requires too much effort and more importantly\naddition of new features to LB3 runtime, which would break our LTS guarantees.\nFor more details, see discussion in\n[loopback-component-explorer#263](https://github.com/strongloop/loopback-component-explorer/issues/263).\n\n### npm advisory 985\n\nLink: https://www.npmjs.com/advisories/985\n\n\u003e Versions of swagger-ui prior to 3.0.13 are vulnerable to Cross-Site Scripting\n\u003e (XSS). The package fails to sanitize YAML files imported from URLs or\n\u003e copied-pasted. This may allow attackers to execute arbitrary JavaScript.\n\nLoopBack's API Explorer does not allow clients to import swagger spec from YAML\nURL/pasted-content. That means loopback-component-explorer **IS NOT AFFECTED**\nby this vulnerability.\n\n### npm advisory 975\n\nLink: https://www.npmjs.com/advisories/975\n\n\u003e Versions of swagger-ui prior to 3.18.0 are vulnerable to Reverse Tabnapping.\n\u003e The package uses `target='_blank'` in anchor tags, allowing attackers to\n\u003e access `window.opener` for the original page. This is commonly used for\n\u003e phishing attacks.\n\nThis vulnerability affects anchor tags created from metadata provided by the\nSwagger spec, for example `info.termsOfServiceUrl`. LoopBack's API Explorer\ndoes not allow clients to provide custom swagger spec, URLs like\n`info.termsOfServiceUrl` are fully in control of the LoopBack application\ndeveloper. That means loopback-component-explorer **IS NOT AFFECTED** by this\nvulnerability.\n\n### npm advisory 976\n\nLink: https://www.npmjs.com/advisories/976\n\n\u003e Versions of swagger-ui prior to 3.20.9 are vulnerable to Cross-Site Scripting\n\u003e (XSS). The package fails to sanitize URLs used in the OAuth auth flow, which\n\u003e may allow attackers to execute arbitrary JavaScript.\n\nLoopBack 3 API Explorer does not support OAuth auth flow, that means\nloopback-component-explorer **IS NOT AFFECTED** by this vulnerability.\n\n### GitHub advisory CVE-2019-17495\n\nLink: https://github.com/advisories/GHSA-c427-hjc3-wrfw\n\u003e A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before\n\u003e 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique\n\u003e to perform CSS-based input field value exfiltration, such as exfiltration of\n\u003e a CSRF token value.\n\nQuoting from the\n[disclosure](https://github.com/tarantula-team/CSS-injection-in-Swagger-UI/tree/15edeaaa5806aa8e83ee55d883f956a3c3573ac9):\n\n\u003e We’ve observed that the `?url=` parameter in SwaggerUI allows an attacker to\n\u003e override an otherwise hard-coded schema file.  We realize that Swagger UI\n\u003e allows users to embed untrusted Json format from remote servers This means we\n\u003e can inject json content via the GET parameter to victim Swagger UI.  etc.\n\nLoopBack 3 API Explorer does not suport `?url=` parameter, it always loads the\nSwagger spec file from the LoopBack server serving the Explorer UI. That means\nloopback-component-explorer **IS NOT AFFECTED** by this vulnerability.\n\n## Upgrading from v1.x\n\nTo upgrade your application using loopback-explorer version 1.x, just replace\n`explorer()` with `explorer.routes()` in your server script:\n\n```js\nvar explorer = require('loopback-component-explorer');  // Module was loopback-explorer in v. 2.0.1 and earlier\n\n// v1.x - does not work anymore\napp.use('/explorer', explorer(app, options));\n// v2.x\napp.use('/explorer', explorer.routes(app, options));\n```\n\nIn applications scaffolded by `lb app`, the idiomatic way is to register\nloopback-component-explorer in `server/component-config.json`:\n\n```json\n{\n  \"loopback-component-explorer\": {\n    \"mountPath\": \"/explorer\"\n  }\n}\n```\n\n## Advanced Usage\n\nMany aspects of the explorer are configurable.\n\nSee [options](#options) for a description of these options:\n\n```js\n// Mount middleware before calling `explorer()` to add custom headers, auth, etc.\napp.use('/explorer', loopback.basicAuth('user', 'password'));\nexplorer(app, {\n  basePath: '/custom-api-root',\n  uiDirs: [\n    path.resolve(__dirname, 'public'),\n    path.resolve(__dirname, 'node_modules', 'swagger-ui')\n  ]\n  apiInfo: {\n    'title': 'My API',\n    'description': 'Explorer example app.'\n  },\n  resourcePath: 'swagger.json',\n  version: '0.1-unreleasable'\n}));\napp.use('/custom-api-root', loopback.rest());\n```\nIn applications scaffolded by `lb app`, you can edit the `server/component-config.json`:\n\n```json\n{\n  \"loopback-component-explorer\": {\n    \"mountPath\": \"/explorer\",\n    \"apiInfo\": {\n      \"title\": \"My App\",\n      \"description\": \"Description of my app APIs.\",\n      \"termsOfServiceUrl\": \"http://api.mycompany.io/terms/\",\n      \"contact\": \"apiteam@mycompany.io\",\n      \"license\": \"Apache 2.0\",\n      \"licenseUrl\": \"http://www.apache.org/licenses/LICENSE-2.0.html\"\n    }\n  }\n}\n```\n\n## Options\n\nOptions are passed to `explorer(app, options)`.\n\n`basePath`: **String**\n\n\u003e Default: `app.get('restAPIRoot')` or  `'/api'`.\n\n\u003e Sets the API's base path. This must be set if you are mounting your api\n\u003e to a path different than '/api', e.g. with\n\u003e `loopback.use('/custom-api-root', loopback.rest());\n\n`mountPath`: **String**\n\n\u003e Default: `/explorer`\n\n\u003e Set the path where to mount the explorer component.\n\n`protocol`: **String**\n\n\u003e Default: `null`\n\n\u003e A hard override for the outgoing protocol (`http` or `https`) that is designated in Swagger\n\u003e resource documents. By default, `loopback-component-explorer` will write the protocol that was used to retrieve\n\u003e the doc. This option is useful if, for instance, your API sits behind an SSL terminator\n\u003e and thus needs to report its endpoints as `https`, even though incoming traffic is auto-detected\n\u003e as `http`.\n\n`uiDirs`: **Array of Strings**\n\n\u003e Sets a list of paths within your application for overriding Swagger UI files.\n\n\u003e If present, will search `uiDirs` first when attempting to load Swagger UI,\n\u003e allowing you to pick and choose overrides to the interface. Use this to\n\u003e style your explorer or add additional functionality.\n\n\u003e See [index.html](public/index.html), where you may want to begin your overrides.\n\u003e The rest of the UI is provided by [Swagger UI](https://github.com/wordnik/swagger-ui).\n\n`apiInfo`: **Object**\n\n\u003e Additional information about your API. See the\n\u003e [spec](https://github.com/wordnik/swagger-spec/blob/master/versions/1.2.md#513-info-object).\n\n`resourcePath`: **String**\n\n\u003e Default: `'resources'`\n\n\u003e Sets a different path for the\n\u003e [resource listing](https://github.com/wordnik/swagger-spec/blob/master/versions/1.2.md#51-resource-listing).\n\u003e You generally shouldn't have to change this.\n\n`version`: **String**\n\n\u003e Default: Read from package.json\n\n\u003e Sets your API version. If not present, will read from your app's package.json.\n\n`auth`: **Object**\n\n\u003e Optional config for setting api access token, can be used to rename the query parameter or set an auth header.\n\n\u003e The object has 2 keys:\n\u003e - `in`: either `header` or `query`\n\u003e - `name`: the name of the query parameter or header\n\u003e\n\u003e The default sets the token as a query parameter with the name `access_token`\n\n\u003e Example for setting the api key in a header named `x-api-key`:\n\u003e ```\n\u003e {\n\u003e   \"loopback-component-explorer\": {\n\u003e     \"mountPath\": \"/explorer\",\n\u003e     \"auth\": {\n\u003e       \"in\": \"header\",\n\u003e       \"name\": \"x-api-key\"\n\u003e     }\n\u003e   }\n\u003e }\n\u003e ```\n\n## Module Long Term Support Policy\n\nThis module adopts the [\nModule Long Term Support (LTS)](http://github.com/CloudNativeJS/ModuleLTS) policy,\n with the following End Of Life (EOL) dates:\n\n| Version | Status          | Published | EOL      |\n| ------- | --------------- | --------- | -------- |\n| 6.x     | Maintenance LTS | Apr 2018  | Dec 2020 |\n| 5.x     | End-of-Life     | Sep 2017  | Dec 2019 |\n\nLearn more about our LTS plan in [docs](https://loopback.io/doc/en/contrib/Long-term-support.html).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstrongloop%2Floopback-component-explorer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstrongloop%2Floopback-component-explorer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstrongloop%2Floopback-component-explorer/lists"}