Closed netsensei closed 1 year ago
@netsensei for some reason that builtin authentication handler returns status 401
instead of 403
(so also in the oai-service), either when no key is given, or when the wrong key is given.
I can of course change the status code in the error handler (https://github.com/ugent-library/people-service/blob/main/cmd/server_cmd.go#L60), but then there is also that wrapped error that contains "unauthorized" somewhere.
@nicolasfranck 401 is the correct status code when you don't pass an API key; or the API key is invalid, revoked, etc.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401
indicates that the client request has not been completed because it lacks valid authentication credentials for the requested resource.
403 would be used if the application refuses authorization:
The access is tied to the application logic, such as insufficient rights to a resource.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403
Story
The RESTful API of the People service needs to be secured. I can only access the API calls if I pass an API key along with the HTTP requests.
Success criteria
X-Api-Key
I'm authenticated / granted access to the API callImplementation suggestion
Define how you will secure the API in the
openapi.yaml
file:In
api.go
imlement a security handler:Add it to
mux
inapi.go
:Finally, add the
config.APIKey
to yourConfig
struct as an environment variable.Automatic testing scenario
Write a high-level way to test this with Cypress if applicable.
Additional information
e.g. requires external API integration, etc.
Related issues
18