-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is the option api_token implemented ? #322
Comments
Hello @bnbc, I've given feedback here #254 (comment) and here #326 (comment), could you please explain your use-case for this feature? |
Hello @benjamincanac Instead of doing that :
I just feel better to have possibility to set a api_token option:
And use basic calls of your module like that :
Nice job ! |
@bnbc Why would you use an api token to fetch your articles? Can't you just set the |
Ok i'm new on Strapi (v4) and i just see how to put permissions to Public like you say. But is not the default configuration, one of the first steps is to create an api token to protect data access. So that why i was suprised when i dont see token params in the options of your module, cause for me is mandatory (but no) Maybe is just my opinion and my concepts but it feels logic for me :) |
We're not implementing this api token feature because if we do, your api token will be leaked and accessible to all users as it will show up in the browser request headers. |
Oh yes il feel stupid :/ i dont realize was so easy to get the token. So i will protect my API access with IP rules. Thks |
I'm a bit confused as to why you wouldn't use the API tokens in this way? You can create them as read only - which is fine, plus how else are you meant to restrict access other than doing what @bnbc suggests and restrict by IP address? |
@gwynhokkers Do you have a use-case where you need an API token that won't be leaked? Maybe I'm missing something here |
If i'm not wrong, the API token is not exposed when use static builds. So unless the API is used to make the call at runtime, the token is not exposed. But of course... if it is restricted by IP it is much safer. |
Use case: You don't want public access to your API unless it's you who is querying it for static builds. Isn't that what you would always use an API key? This more or less renders this entire package useless for those who want to use an API token, unless I'm missing something. |
All entries have to be "public access" without the support for API token, as @philipimperato has metioned, at some case we need the token to authenticate before the query. |
Hello, i have read this issue : #254
And i want to know if an option to set Strapi api token is now available ? i don't see it in the documentation.
Meanwhile i will use useStrapiClient, like that (not tested) :
The text was updated successfully, but these errors were encountered: