Add "methods" rule property to routes.json

[danspark]

It looks like I can use the routes.json file to add auth to my azure functions routes, so I think it makes sense to specify which methods the routes.json rules would apply to.

In my scenario, I have a route called api/catalog-items, and I would like to only allow POST, PUT and DELETE for authenticated users, but GET request have no auth rules. I'm thinking an array would be the best data type, and GET would be the default value for unspecified route objects.

Example:

{
  "routes": [
    {
      "route": "/api/catalog-items",
      "allowedRoles": ["authenticated"],
      "methods": ["POST","PUT","DELETE"]
    }
  ]
}

Are there any plans to support this?

[miwebst]

We will take a look at adding this, thanks for the suggestion! I see this as really only applicable to the Functions api calls and not really relevant to the static content. Does that match your expectation?

[danspark]

Yeah, I guess it's only applicable to the functions back-end. As it is now it's still really useful to be able to add authentication/authorization to my functions, but I'm really curious if this is something that I am supposed to be doing, is this a planned use-case? Thanks for answering by the way.

[miwebst]

So there are 2 planned use cases when working with auth and Functions. One is using the routes.json to allow/deny particular sets of users based on roles. The second is using the auth information passed to the Function as a header to perform more in depth authentication checks (i.e. you may want to allow/deny based on the email of a user).

[danspark]

Great, thanks! Should I close this then?

[miwebst]

We can leave this open in case anyone else wants to contribute to the conversation and we can also use this for tracking.

[miwebst]

Hey @danspark , we have launched a new config file today with some breaking changes that will allow us to continue to add functionality going forward. We have added a "methods" matching criteria to our routes; you can find more info here: https://docs.microsoft.com/en-us/azure/static-web-apps/configuration

[danspark]

@miwebst This is great! I'm guessing this issue can be closed, then? Didn't find the breaking changes in the page, though.

[miwebst]

Ah this is a great point @craigshoemaker should we consider making a section to talk about the breaking changes?

@danspark, the main changes are to the naming of different properties (i.e. response overrides) and the wildcard routing behavior / introduction of navigation fallbacks.