Limiting access by apiKey looks like be ignored

[fedoseiev]

So I'm trying to limit data access unless it gives a valid key. (Maybe I'm using it wrong, and don't understand something, please enlighten me)

I've added to some of my modules apiKeys: [ 'accesskey' ] and then started testing it with: request({ uri: 'http://localhost:3000/api/v1/some', qs: { apikey: 'accesskey', }, method: 'GET' }) it looks like it returns everything right, but if I remove apikey from request - It is still works! (Is it intended?)

So I've jumped into this code and found next at index.js:233 var key = req.query.apikey || req.query.apiKey || getAuthorizationApiKey(); if (!key) { return next(); } Trying to understand the meaning of it... If apikey is not set in request, then skip any validation?? Why are we doing this?

Would it be better to do something like this?: if (_.isEmpty(self.options.apiKeys) && !key) { return next(); }

If it is intended to be like this, is there is another way to limit data access between two servers?

[punkhub]

API keys are used to grant extra privileges beyond what the public has anyway.

If it would be visible to the public on a regular apostrophe site, it is visible to the public via the API too.

Support for altering the permissions model so that the public has no access to the API at all without a key would be a new feature.

On Wed, Dec 11, 2019 at 4:16 AM fedoseiev [email protected] wrote:

So I'm trying to limit data access unless it gives a valid key. (Maybe I'm using it wrong, and don't understand something, please enlighten me)

I've added to some of my modules apiKeys: [ 'accesskey' ] and then started testing it with: request({ uri: 'http://localhost:3000/api/v1/some', qs: { apikey: 'accesskey', }, method: 'GET' }) it looks like it returns everything right, but if I remove apikey from request - It is still works! (Is it intended?)

So I've jumped into this code and found next at index.js:233 var key = req.query.apikey || req.query.apiKey || getAuthorizationApiKey(); if (!key) { return next(); } Trying to understand the meaning of it... If apikey is not set in request, then skip any validation?? Why are we doing this?

Would it be better to do something like this?: if (_.isEmpty(self.options.apiKeys) && !key) { return next(); }

If it is intended to be like this, is there is another way to limit data access between two servers?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/apostrophecms/apostrophe-headless/issues/41?email_source=notifications&email_token=AEJYL2FSZSINPAHUTAARRPDQYCVWJA5CNFSM4JZLTXF2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4H7WLDDQ, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJYL2HPS7NPZKT5ETTS7TLQYCVWJANCNFSM4JZLTXFQ .

--

THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his