search

joas8211 / payload-tenancy

Multi-tenancy plugin for Payload CMS
MIT License
149 stars 10 forks source link

Cannot access REST APIs via Users API key #31

Closed mancinfabio closed 1 year ago

mancinfabio commented 1 year ago

Hi!

I'm having trouble with making REST requests with API requests. I'm using path strategy.

API key usage is enabled on the Users collection:

const Users: CollectionConfig = {
  // ...
  auth: {
    useAPIKey: true,
  },
  admin: {
    useAsTitle: "email",
  },
  // ...
};

When making REST requests like 

curl --location 'http://localhost:3000/[TENANT_SLUG]/api/pages/[PAGE_ID]' \
--header 'Authorization: pages API-Key [API KEY GENERATED FOR THE USER ]'

The request fails with

payload-cms-payload-1  | [13:43:35] ERROR (payload): Forbidden: You are not allowed to perform this action.
payload-cms-payload-1  |     at executeAccess (/home/node/app/node_modules/payload/src/auth/executeAccess.ts:10:43)
payload-cms-payload-1  |     at processTicksAndRejections (node:internal/process/task_queues:95:5)
payload-cms-payload-1  |     at async find (/home/node/app/node_modules/payload/src/collections/operations/find.ts:84:22)
payload-cms-payload-1  |     at async findHandler (/home/node/app/node_modules/payload/src/collections/requestHandlers/find.ts:30:20)

On the other hand, if I enable API keys of the pages collection and use the key generated that way, the request succeeds.

Is there something I'm missing? Thanks in advance

mancinfabio commented 1 year ago

Figured it out, it was my bad: I was using Authorization for the wrong collection.

It works fine with

curl  -X GET \
 'http://localhost:3000/[TENANT_SLUG]/api/pages/[PAGE_ID]' \
  --header 'Accept: */*' \
  --header 'Authorization: users [API KEY GENERATED FOR THE USER ]'