Description
Is your feature request related to a problem? Please describe.
My application has many endpoints, but only a subselection is available as public endpoints for users.
I have set the endpoint to springdoc.api-docs.path=/api/docs
I have configured this subselection into a group/definition using a GroupedOpenApi bean, and appears in swagger-ui as different definition. Here, a link to /api/docs/subselection is available (can be any subselection name).
However, the /api/docs endpoint is also available, and contains ALL endpoints.
This is a security problem, as the end-users now see all internal endpoints. I have them disabled via the reverse-proxy, but I am showing more internal information that I would like to (e.g. debug endpoints).
Also, for me this is unexpected behavior: I define groups to restrict what is visible in swagger-ui, I expect this restriction to also apply to the OpenAPI definition, but apparently it does not. Or, if the ALL definition is available, then I expect swagger-ui to show that ALL definition as well, which it does not.
Describe the solution you'd like
I would like to disable the /api/docs endpoint, making it return 404, but not the /api/docs/subselection, so that for only the defined groups the OpenAPI definition is generated.
Making it configurable via a property (e.g. springdoc.api-docs.somethingetc=false) would be ideal, as I can then switch it on/off between profiles.
I do not currently need this, as I understand the situation, but for new developers this might help with the unexpected part: Consider showing the ALL definition in swagger-ui if the endpoint is enabled, or disable the ALL definition by default if groups are defined. I do not know how OpenAPI and swagger-ui are expected to work together, but this mismatch caught me by surprise, resulting in me leaking internal endpoints.
Describe alternatives you've considered
Alternative is to deny access to the the /api/docs using Spring Security, but that is ugly due to it still asking for authentication.
Alternative is disabling the endpoint in a reverse proxy, but that is outside of the application's control.