php-crud-api icon indicating copy to clipboard operation
php-crud-api copied to clipboard

Published 20 hours ago verified publisher icon mevdschee

cors settings do not take over values

Open sbc-mining opened this issue 3 years ago • 0 comments

Hello, everyone,

I would like to provide my API with an AuthToken. This also worked by adding it to the settings. Unfortunately, the whole thing doesn't work with Cors. Because here I would have to enter the following in the settings:

cors.allowHeaders' => 'Content-Type,X-XSRF-TOKEN,X-Authorization,X-API-Key' <-- Found that here on github.

However, the connection fails. Now when I look at the response, it says the following:

Access-Control-Allow headers
X-Requested-With, Content-Type, Accept, Origin, Authorization

But this has nothing to do with the settings I specified.

I made all settings in routes.php. If I enter it in the settings.php, Cors hardly works at all anymore because then all standard values ​​are gone.

My settings currently look like this:

        $config = newConfig([
            'username' => 'xxx',
            'password' => 'xxx',
            'database' => 'api',
            'basePath' => '/api',
            'middlewares' => 'cors,apiKeyAuth',
            'apiKeyAuth.mode'=> 'required',
           'apiKeyAuth.keys' => 'xxx',
           'cors.allowHeaders' => 'Content-Type,X-XSRF-TOKEN,X-Authorization,X-API-Key',

        ]);

It also seems that I can't disable cors if I take it out of middleware. Because then I still get error messages from Cors as feedback.

UPDATE: Unfortunately, I have to manage that I have an API token with ONLY read rights. Is that even possible? Because actually it is an internal and not an open API. But Javascript cannot prevent users from getting the API key. So I would like to have one that reads only and one that can do everything.

I use the whole thing in connection with Slim 4. The whole thing was installed according to the instructions linked here. I hope that there is a solution for this problem, because I couldn't find a solution here yet.

Background Information:

Maybe here is a little information as to why I need it and what we actually intend to do with the API:

We are a small team that creates various programs/bots for other people and also makes them available to the public as a service. We use the API so that the programs can communicate better with each other in the background, but also for the frontend output, for example the current status of a service (Ajax). No one but our own programs or ourselves should be able to make a change to the API. Therefore we do not need any registration or anything like that. But rather a user for the frontend, who is only reading, because this is conditionally readable by Javascript for every visitor to the website and one for the backend, which is allowed to do everything.

sbc-mining avatar Sep 09 '22 16:09 sbc-mining