Security Flaw: Swagger UI Configuration Persists Bearer Tokens in Browser Storage

A security misconfiguration in a custom Swagger UI setup is actively storing sensitive bearer tokens in browser storage, creating a persistent window for credential theft. The configuration explicitly enables `persistAuthorization: true`, which saves authentication tokens across page reloads. This design flaw directly increases the risk of token theft via cross-site scripting (XSS) attacks, shared workstations, or browser profile compromise, effectively bypassing standard session security.

The vulnerability is located in the API documentation component, specifically within the file `backend/apps/api/docs.py` at line 256. The code snippet initializing the Swagger UI bundle includes the problematic setting, which classifies under the OWASP Top 10 category A07:2021 for Identification and Authentication Failures. The impact is significant: any stolen, persisted token could grant an attacker unauthorized access to the API until the token naturally expires or is manually revoked, extending the potential attack surface.

This medium-severity issue underscores a critical oversight in production security hardening. The recommended fix is to disable token persistence by setting `persistAuthorization` to `false` for all production deployments. Additional mitigation strategies include gating the documentation endpoint (`/docs`) behind administrative authentication or disabling it entirely in production environments. If persistence is required for local development, the setting should be made conditional based on the environment variable, isolating the risk to non-production systems only.