Self host swagger JS dependencies

[mira-miracoli]

We should provide self-hosted JS libraries for OpenAPI docs

@app.get("/docs", include_in_schema=False)
async def custom_swagger_ui_html():
    return get_swagger_ui_html(
        swagger_js_url=f"https://{ourselves}/swagger-ui-dist@5.9.0/swagger-ui-bundle.js",
        swagger_css_url=f"https://{ourselves}/swagger-ui-dist@5.9.0/swagger-ui.css",
    )

Describe the bug
usegalaxy.*/api/docs
is not loading for me:

The issue is an invalid certificate for a Cloudflare CDN server, it seems to be expired in 2020.
After googleing it, I found this:
https://community.cloudflare.com/t/jsdelivr-expired-certificate-may-2024/650543
and
jsdelivr/jsdelivr#18565

It could be a bigger issue.
Sure we can not do anything about it and CDNs should always work, but in this case I was wondering if it is really needed
or if we could serve this with our own servers?

Galaxy Version and/or server at which you observed the bug
Galaxy Version: 24.0
all 3 usegalaxy.* servers

Browser and Operating System
Operating System: Linux, macOS
Browser: Firefox, Chrome-based, Safari

Firefox 125.2 (fedora linux 39)
Chromium 124.0.6367.91 (fedora linux 39)
Safari on iPadOS 17.4.1

To Reproduce
Steps to reproduce the behavior:
Maybe it is location dependent, but otherwise the steps are quite obivous

Expected behavior
swagger api docs should load

[hexylena]

Seconding this, it also won't work for TREs and similar air-gapped environments and leaks information about our visitors. We should self host this like we do for the rest of the JS.

I'm glad there was a certificate issue, might not have noticed otherwise that the JS comes from a third party domain.

(And especially JS that might have access to user API keys, even if it's a trustworthy party like jsdeliver, since we aren't using SRI hashes to ensure the validity of that file at all, just a plain script tag)

[mvdbeek]

Do you want to open that issue at FastAPI ? I don't think there's anything we can do. It also works for me on all devices.

[hexylena]

@mvdbeek fastapi is generating this?

[mvdbeek]

yes

[hexylena]

oof. i'd expect at least SRI hashes then, yikes.

[hexylena]

Someone reports a similar issue (different flavour of firewall) and the suggested answer is an additional requirement. tiangolo/fastapi#4924 (comment)

every similar question seems to receive that as an answer, the discussion moved to 'discussions' and the underlying issue never fixed or closed as 'wontfix'.

[hexylena]

Aha, it sounds like we can implement this ourselves, by passing static_directory tiangolo/fastapi#112

https://github.com/tiangolo/fastapi/pull/112/files#diff-a7194c5009e170b25568f7cf38b4eb8b7caabd87249b4bf6c0cd1710119a0200R8

[mira-miracoli]

update:

• cdn.jsdelivr.net has SSL issue. jsdelivr/jsdelivr#18565
  Is solved by moving to another CDN temporarily.

Unfortunately this issue affected the users hitting the Cloudflare CDN. Currently its fixed by redirecting all traffic to Fastly.

At this moment its unknown why they decided to start serving an expired SSL certificate as it's service is supposed to be fully automated and managed by them.

I will be working with them to understand the problem and when its safe to bring back Cloudflare.

[hexylena]

I suspect CF will fix that long before we could patch galaxy.

misunderstood, we are agreed, should be self hosted.