Open jalexbrun opened 6 years ago
Same here. Authentication processed regardless access_token_required!
is given or not.
Update: This is probably caused Middleware that inject itself calls Bearer "authorization" method automatically. When that happens, Grape thinks you want authentication.
For the time being, the only workaround is using include in only specific endpoints. I hope we can get @nbulaj' s attention here.
@johnbrun09 @gencer thanks for the reporting, I will check it ASAP.
@johnbrun09 can yo please provide full code listing for the module where you are injecting include Grape::OAuth2.api
? I can't guess if you get a 401 error without the gem injection or with..
Since no reply made. Let me gave you mine:
module V2
class Base < Grape::API
version 'v2', using: :path, vendor: 'test'
format :json
# prefix :api
include Grape::OAuth2.api
mount V2::Query
# ... other mounts
end
end
module V2
class Query < Grape::API
# all actions in this class requires authentication. No matter you give :access_token_required! or not.
end
end
@gencer @johnbrun09 what am I doing wrong?
https://gist.github.com/nbulaj/ff3716d1043143c01b2237c4fa34517a
I've added two endpoints to simple Grape API, one public and one protected (after injecting Grape::OAuth2), and tested it with rackup and curl.
The gist you prepared is the same scheme I used. Only difference (not wrong) is how we used it.
For me; I use it with Rails5. Maybe Rails has something to do with this or some gem interfere?
Because, I am positively sure that mounting api endpoints after oauth.api, makes all mounts authenticable. But before them is public.
Should I prepare a skeleton/sample project for you maybe?
@gencer it will be great, because it's hard for me to find a concrete problem without knowing all the environment.
Hi @gencer . Any update here?
@nbulaj, I completely forgot about this. I was switched to doorkeeper at that time.
However, I just illustrated a sample on my end and it seems it just passes my test. However, I can't remember exactly what was my previous environment like which was failed as this issue stated 🤕.
I call access_token_required! in several of my api endpoints, but not in the UserLogin endpoints.
if I do the following
I get a 401 error when attempting to log in, even though access_token_required! is not being used in that file.
If I do the following instead
Then the user login controller is called without checking for an access token.