Swagger UI - " TypeError: Failed to fetch" on valid response
I hit this error during local development (i.e., had nothing to do with AWS). The underlying cause (CORS violation) is identical. The following might help others who encounter this problem.
I setup connexion with an openapi spec that referred to http://localhost:9090/. When the development server starts, it says "Running on http://0.0.0.0:9090/". That page appears to work, but the swagger ui uses http://localhost:9090/ from the openapi spec for subsequent requests and shows TypeError: Failed to fetch
in results. The browser console shows Access to fetch at 'http://localhost:9090/vr/variation' from origin 'http://0.0.0.0:9090'
. The provided curl
command worked fine; although initially confusing, the curl success is a clue that the problem is due to browser blocking rather than server-side failure.
(Connexion is based on Python flask and provides extended support for openapi integration.)
For anyone that runs into this problem;
After a day of troubleshooting and the Swagger support guys pointing me in the right direction, it turns out that this is currently caused by a bug within the AWS API Gateway custom authorizers.
We are currently using AWS API Gateway for managing our APIs, this includes managing all our authorization via a custom authorizer. The issue is that custom authorizers do not currently support passing through headers within the response and Swagger UI needs the Access-Control-Allow-Origin:*
within the response header(s) to display the correct HTTP status code.
See this AWS thread regarding the issue (which is older than a year already):
https://forums.aws.amazon.com/thread.jspa?messageID=728839
Swagger UI discussion on same: https://github.com/swagger-api/swagger-ui/issues/3403
EDIT / UPDATE
This has since been resolved with the use of Gateway Responses. See this same forum (page 2):
https://forums.aws.amazon.com/thread.jspa?messageID=728839
I had the same issue and there was a very simple fix. I accessed my site using HTTP but it required HTTPS. My site was redirecting to HTTPS when calling an endpoint.
This violated the "same-origin policy": https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-2.2