ideas icon indicating copy to clipboard operation
ideas copied to clipboard

Published 20 hours ago • verified publisher icon statamic

Ability to use auth for the API

Open jasonvarga opened this issue 5 years ago • 9 comments

Obviously not an pressing issue for the initial read-only phase, but people may want to add auth. We can discuss it more in Slack.

jasonvarga avatar Dec 16 '19 21:12 jasonvarga

Pretty pressing for the Users route honestly.

MadeByMike avatar Nov 25 '20 11:11 MadeByMike

I was discussing API bits in discord yesterday, and maybe it is more relevant here.

https://github.com/statamic/cms/issues/2910

I’d still call it a bug, but it has some ideas also, particularly related to limiting some of the things that are accessible via unauthenticated API. And I quote:

Related to this, I feel that the API shouldn’t expose draft content at all until such a point as it has authentication available Perhaps also overriding the future date behavior should also require authentication

fitzage avatar Nov 25 '20 16:11 fitzage

I would honestly be great to have the auth feature available in the nearest future. Is it anywhere on the roadmap, Jason?🙏

jkaliski avatar Jan 06 '22 23:01 jkaliski

You are able to customize the middleware for the API already. By default the API routes use the api middleware group.

https://github.com/statamic/statamic/blob/94e92d02d3c43ccf623213a6445678281b168263/config/statamic/api.php#L43

You can customize that in your Http Kernel:

https://github.com/statamic/statamic/blob/94e92d02d3c43ccf623213a6445678281b168263/app/Http/Kernel.php#L41-L45

You can easily add basic http auth by adding 'auth.basic' to that array. It'll prompt you for email/password when you visit the API. You can enter your user credentials in there.

Or, you can use another package like Laravel Sanctum and plop that in the array.

(Edit: You can't use Sanctum as-is because it's very tied to Eloquent User models. However I was able to get it to work with only a small handful of tweaks. Anyway - a custom guard like Sanctum totally works.)

jasonvarga avatar Jan 07 '22 15:01 jasonvarga

Hi,

We're looking at Statamic for various projects but all require headless authentication, without it we won't be able to achieve login and page permissions for frontend users in a Nuxt or similar API driven app.

In the API docs it does say that Authentication is still to come, is there any ETA on it or a thorough workaround until it's officially part of the API? Preference would be Sanctum for API use and possibly tie that up to Fortify but Sanctum at a minimum would be great.

Thanks!

AugmentBLU avatar Aug 05 '22 13:08 AugmentBLU

@jasonvarga any tips or a small todo to get Sanctum working with Statamic? Where do we start...

jhhazelaar avatar Aug 28 '23 10:08 jhhazelaar

@jhhazelaar if youre on discord hit me up on this - I've done it and can walk you through it

ryanmitchell avatar Sep 20 '23 09:09 ryanmitchell

Would be very very useful... like Strapi or Directus does it: https://docs.directus.io/reference/authentication.html

j-vitali avatar Apr 30 '24 06:04 j-vitali