Inquiry About Securing the Swagger Page in PHPMaker Project

ATF95 · June 24, 2025, 3:07pm

Hello,

I have a question regarding a project generated with PHPMaker. After deploying the application to a live server, I noticed that the Swagger API documentation (accessible via /swagger) is publicly available to anyone without requiring authentication.

I would like to restrict access to the Swagger page so that only authorized users (e.g., logged-in users) can view it.

Is there a recommended way within PHPMaker to secure or disable access to the Swagger interface?
If not configurable directly from the PHPMaker UI, can I protect the route by adding a login check or custom condition in the routes.php or index.php file?

I would appreciate any guidance or best practices on how to properly secure this part of the application.

Thank you in advance for your support.

Best regards,

arbei · June 25, 2025, 2:25am

Although the page is public, the data is still protected by PHPMaker’s Advanced Security. Users cannot access data without login. If you only allow logged in user to access, and you are using v2025, you can use Access Control, e.g. in Global Vode

AddListener(ConfigurationEvent::NAME, function (ConfigurationEvent $event) {
    $controls = $event->get("SECURITY.access_control");
    $controls = [["path" => '^/swagger', "roles" => "IS_AUTHENTICATED_FULLY"]] + $controls;
    $event->set("SECURITY.access_control", $controls);
});