Closed santo74 closed 3 years ago
Check this example how it controls which actions are protected https://github.com/moleculerjs/moleculer-examples/blob/master/conduit/services/api.service.js#L97 https://github.com/moleculerjs/moleculer-examples/blob/master/conduit/services/articles.service.js#L83
Thanks for the pointers icebob! So if I understand correctly, the suggestion is to enable authorization for the whole API (i.e. the /api route) but then override this behaviour in the authorize implementation based on the auth flag of each action?
This sounds good, but the only thing I'm worried about with this implementation is that each action is public by default, unless an explicit auth: true flag is set. So whenever one forgets to set this flag, the action is exposed via the gateway.
But I suppose I can revert that behaviour by throwing an UnAuthorizedError when auth fails, unless the auth flag of the action is explicitly set to false (auth: false)?
In this case, change the logic, and rename the prop to noAuth: true
and swap the condition in the authorization, as well.
Yes, noAuth: true
is better than auth:false
Anyway, I tested this setup and it's working as expected. So I'm closing the issue...
Thanks @icebob
Hi,
I have following requirements:
I have several services where each service has multiple actions. Some actions will be accessible via an API gateway, some not (they are private). Some of the actions accessible via the API getaway should only be accessible after auth, others are public.
My API should have this structure:
What works:
The closest I'm getting is with this code:
The problem:
This works, but it results in ugly paths for the api's:
So there are actually 2 problems with this approach, but I don't know how to fix this with moleculer(-web):