Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugin endpoint returns error 403 when using API token #7

Open
nimajneb opened this issue Aug 5, 2022 · 8 comments
Open

Plugin endpoint returns error 403 when using API token #7

nimajneb opened this issue Aug 5, 2022 · 8 comments
Labels
bug Something isn't working

Comments

@nimajneb
Copy link

nimajneb commented Aug 5, 2022

Bug report

Describe the bug

In an out-of-the-box installation of Strapi 4.3.2 and a clean install of the URL alias plugin, using the provided endpoint <API-URL>/url-alias/get?path=/custom/path returns a HTTP 403 error:

{
  "data": null,
  "error": {
    "status": 403,
    "name": "ForbiddenError",
    "message": "Forbidden",
    "details": {}
  }
}

I'm not sure if this should be considered a bug, feature request or just a documentation issue, so feel free to move this issue.

Steps to reproduce the behavior

  1. Install Strapi and the URL alias plugin:
yarn create strapi-app my-project --typescript --quickstart && cd my-project
yarn add @strapi-community/strapi-plugin-url-alias
  1. Set up a collection type
  2. Set up a URL alias pattern and an entry using that pattern
  3. Save the entry
  4. Try to fetch the entry via URL alias plugin at its custom path: <API-URL>/url-alias/get?path=/custom/path
  5. See error 403

Expected behavior

The actual entity should be returned.

Code snippets

I ran into the same issue when creating custom routes of my own, and as far as I've been able to research, it seems to have something to do with the API being protected by default. Generating a "read" API token makes the auto-generated routes return content, but it is not sufficient to make the routes of the URL alias plugin work.

What helped for my custom routes was to add an auth section to the routes config like so:

config: {
  policies: [],
  auth: {
    scope: ["find"],
  },
}

I can't do that for the plugin of course, and since this does not seem to be documented by Strapi, I don't know if this is really the correct way of handling it.

System

  • Node.js version: 16.16.0 LTS
  • NPM version: 8.11.0
  • Strapi version: 4.3.2
  • Plugin version: 1.0.0-alpha.4
  • Database: SQLite
  • Operating system: macOS Monterey v12.2
@nimajneb nimajneb changed the title Endpoint returns an error 30 Plugin endpoint returns error 403 Aug 5, 2022
@boazpoolman
Copy link
Member

Hey @nimajneb,

This is somewhat by design. Every endpoint, wheter it comes from a plugin, or a core API is by default protected. If you’re using the users-permissions plugin from @strapi you can alter the public role and grant them permission specifically for this endpoint. Then anybody with an internet connection can make a request to the endpoint.

Is this what you’re looking for?

@boazpoolman boazpoolman added the question Further information is requested label Aug 6, 2022
@nimajneb
Copy link
Author

nimajneb commented Aug 6, 2022

Hey @boazpoolman,

No, I would like to keep this endpoint protected. What's unexpected for me is that even with a valid read API token it responds with said 403, while the autogenerated routes do work properly (using the same token). Interestingly enough, if I provide an invalid token, the url-alias route responds with HTTP 401 (message is: Missing or invalid credentials).

@boazpoolman
Copy link
Member

Aha got it. I haven’t used Strapi with the API tokens myself just yet. I’ll play around with it. probably some config I need to set to make it work 🙂

@boazpoolman boazpoolman added bug Something isn't working and removed question Further information is requested labels Aug 7, 2022
@boazpoolman
Copy link
Member

@nimajneb I added the change that worked for your custom endpoints in the plugin:

config: {
  policies: [],
  auth: {
    scope: ["find"],
  },
}

Tested it out and it seemed to work for me.
Could you test it out just to be sure?

yarn add strapi-community/strapi-plugin-url-alias
npm install strapi-community/strapi-plugin-url-alias

@nimajneb
Copy link
Author

nimajneb commented Aug 9, 2022

@boazpoolman It works like a charm now. Thanks! :)

This is the same solution I described above (by just hacking the plugin source in node_modules). I was just not sure if it's the proper way of doing it, because I couldn't find this in the strapi documentation.

@boazpoolman
Copy link
Member

Honestly, I'm not sure if this is the correct way of doing it myself aswel.
I've looked at other plugin endpoints, the /api/users endpoint of the users-permissions endpoint for example.
I didn't see this scope syntax being used, though their endpoint did work with the API token.

But ah wel. If it works it works huh 🤷

@boazpoolman
Copy link
Member

This was released with version 1.0.0-alpha.5 of the plugin.
If you're still experiencing the issue beyond this version feel free to re-open the GH issue or create a new one.

@boazpoolman boazpoolman mentioned this issue Aug 29, 2022
Closed
@boazpoolman
Copy link
Member

As mentioned in #17, by adding the auth scope in the routes config the endpoints do work with the API token, but they don't work with the RBAC from the users-permissions plugin.

I've rolled back the change and released that in v1.0.0-alpha.6.
That does mean this issue will be re-opened and we need to find another way to make the endpoints work with the API token.

@boazpoolman boazpoolman reopened this Sep 5, 2022
@boazpoolman boazpoolman changed the title Plugin endpoint returns error 403 Plugin endpoint returns error 403 when using API token Sep 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nimajneb @boazpoolman