search

joas8211 / payload-tenancy

Multi-tenancy plugin for Payload CMS
MIT License
140 stars 8 forks source link

Cannot access REST APIs via Users API key #31

Closed mancinfabio closed 10 months ago

mancinfabio commented 10 months ago

Hi!

I'm having trouble with making REST requests with API requests. I'm using path strategy.

API key usage is enabled on the Users collection:

const Users: CollectionConfig = {
  // ...
  auth: {
    useAPIKey: true,
  },
  admin: {
    useAsTitle: "email",
  },
  // ...
};

When making REST requests like 

curl --location 'http://localhost:3000/[TENANT_SLUG]/api/pages/[PAGE_ID]' \
--header 'Authorization: pages API-Key [API KEY GENERATED FOR THE USER ]'

The request fails with

payload-cms-payload-1  | [13:43:35] ERROR (payload): Forbidden: You are not allowed to perform this action.
payload-cms-payload-1  |     at executeAccess (/home/node/app/node_modules/payload/src/auth/executeAccess.ts:10:43)
payload-cms-payload-1  |     at processTicksAndRejections (node:internal/process/task_queues:95:5)
payload-cms-payload-1  |     at async find (/home/node/app/node_modules/payload/src/collections/operations/find.ts:84:22)
payload-cms-payload-1  |     at async findHandler (/home/node/app/node_modules/payload/src/collections/requestHandlers/find.ts:30:20)

On the other hand, if I enable API keys of the pages collection and use the key generated that way, the request succeeds.

Is there something I'm missing? Thanks in advance

mancinfabio commented 10 months ago

Figured it out, it was my bad: I was using Authorization for the wrong collection.

It works fine with

curl  -X GET \
 'http://localhost:3000/[TENANT_SLUG]/api/pages/[PAGE_ID]' \
  --header 'Accept: */*' \
  --header 'Authorization: users [API KEY GENERATED FOR THE USER ]'