search

grape-oauth2 / grape_oauth2

Flexible, ORM-agnostic, fully customizable and simple OAuth2 provider for Grape API
41 stars 23 forks source link

Access Token being checked even on endpoints not calling access_token_required! #9

Open jalexbrun opened 6 years ago

jalexbrun commented 6 years ago

I call access_token_required! in several of my api endpoints, but not in the UserLogin endpoints.

if I do the following 


   mount Api::UserLogin
   mount Api::SomeOtherEndpoint

I get a 401 error when attempting to log in, even though access_token_required! is not being used in that file.

If I do the following instead


   include Grape::OAuth2.api

   mount Api::SomeOtherEndpoint

Then the user login controller is called without checking for an access token.

gencer commented 6 years ago

Same here. Authentication processed regardless access_token_required! is given or not.

Update: This is probably caused Middleware that inject itself calls Bearer "authorization" method automatically. When that happens, Grape thinks you want authentication.

For the time being, the only workaround is using include in only specific endpoints. I hope we can get @nbulaj' s attention here.

nbulaj commented 6 years ago

@johnbrun09 @gencer thanks for the reporting, I will check it ASAP.

nbulaj commented 6 years ago

@johnbrun09 can yo please provide full code listing for the module where you are injecting include Grape::OAuth2.api ? I can't guess if you get a 401 error without the gem injection or with..

gencer commented 6 years ago

Since no reply made. Let me gave you mine:

  module V2
    class Base < Grape::API
      version 'v2', using: :path, vendor: 'test'
      format :json
      # prefix :api

      include Grape::OAuth2.api
      mount V2::Query
      # ... other mounts

    end
  end
 module V2
   class Query < Grape::API
       # all actions in this class requires authentication. No matter you give :access_token_required! or not.
   end
 end
nbulaj commented 6 years ago

@gencer @johnbrun09 what am I doing wrong?

https://gist.github.com/nbulaj/ff3716d1043143c01b2237c4fa34517a

I've added two endpoints to simple Grape API, one public and one protected (after injecting Grape::OAuth2), and tested it with rackup and curl.

gencer commented 6 years ago

The gist you prepared is the same scheme I used. Only difference (not wrong) is how we used it.

For me; I use it with Rails5. Maybe Rails has something to do with this or some gem interfere?

Because, I am positively sure that mounting api endpoints after oauth.api, makes all mounts authenticable. But before them is public.

Should I prepare a skeleton/sample project for you maybe?

nbulaj commented 6 years ago

@gencer it will be great, because it's hard for me to find a concrete problem without knowing all the environment.

nbulaj commented 6 years ago

Hi @gencer . Any update here?

gencer commented 6 years ago

@nbulaj, I completely forgot about this. I was switched to doorkeeper at that time.

However, I just illustrated a sample on my end and it seems it just passes my test. However, I can't remember exactly what was my previous environment like which was failed as this issue stated 🤕.