REST API returns backendServiceUrl

[Blackbaud-BenLambert]

Related to the question I asked in #270, I'm calling the new developer portal REST API /apis endpoint from our site, and it returns an array of api entities. The properties object includes a serviceUrl that contains the URL to the backend API:

For example:

    "value": [
        {
            "id": "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ApiManagement/service/xxx/apis/12345",
            "type": "Microsoft.ApiManagement/service/apis",
            "name": "some-api",
            "properties": {
                "displayName": "Some API",
                "apiRevision": "1",
                "description": "Some API description.",
                **"serviceUrl": "https://someapi...",**
                "path": "someapi",
                "protocols": [
                    "https"
                ],
                "authenticationSettings": null,
                "subscriptionKeyParameterNames": null,
                "isCurrent": true
            }
        }
    . . .    
    ],
    "count": ...
}

I wonder why is the serviceUrl included here?

I'd rather not have the backend API URL leaked out and sent down to the client - the new developer portal won't be talking directly to the API backend, and anyone sniffing the network traffic in the browser debugger would be able to discover the URL of the API backend itself (not callable of course, but seems odd to unnecessarily leak it this way).

Any thoughts on perhaps removing that property from the developer-facing portal REST API responses?

[mikebudzynski]

@Blackbaud-BenLambert - thanks for reporting the issue, we're aware of the problem. Currently the new developer portal uses the direct access API in API Management.

We're planning to create a separate data endpoint for the portal. The new data API won't expose certain information, such as the backendServiceUrl property.

We don't have an ETA yet.