Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API token type read-only not works as expected 🐛 #14203

Open
rodgeraraujo opened this issue Aug 24, 2022 · 1 comment
Open

API token type read-only not works as expected 🐛 #14203

rodgeraraujo opened this issue Aug 24, 2022 · 1 comment
Labels
issue: enhancement Issue suggesting an enhancement to an existing feature source: core:strapi Source is core/strapi package

Comments

@rodgeraraujo
Copy link

rodgeraraujo commented Aug 24, 2022
edited
Loading

Bug report

Required System information

  • Node.js version: v16.14.0
  • NPM version: 8.5.4
  • Strapi version: v4.3.6
  • Database: postgres
  • Operating system: MacOS

Describe the bug

Trying to create a plugin to extend a api route, get error 403 when using the API Token of type read-only. My route is a GET, like bellow:

{
    method: 'GET',
    path: '/route_name',
    handler: 'client.findAll',
    config: {
      policies: [],
      description:
        'route_description',
      tag: {
        plugin: 'plugin_name',
        name: 'plugin_name',
        actionType: 'find',
      },
    },
  },

For this request works, need to use a token of the type full-access, but for our environment this is not a good option.

Expected behavior

Use API Token of the type read-only when routes are just GET methods.

Additional context

Looking at the source code, I found a function that checks the routes, and when the token is not of type find or findOne, (which in this case is a little wrong, since the route is of type GET) it is necessary that the route has the scope of type find. But the documentation doesn't explain any of this, how to solve this problem, without having to use a full-access. type token?
@derrickmehaffy derrickmehaffy added issue: enhancement Issue suggesting an enhancement to an existing feature source: core:strapi Source is core/strapi package labels Aug 31, 2022
@alucav
Copy link

alucav commented Sep 11, 2022
edited
Loading

I can confirm this issue as well when trying to access the API via API Token generated by the Admin Panel:

/api/content-type-builder/content-types/plugin::users-permissions.user

When "read only" is set on the GET request, the response is:

{
	"data": null,
	"error": {
		"status": 403,
		"name": "ForbiddenError",
		"message": "Forbidden",
		"details": {}
	}
}

When "full access" is set on that same GET request, the response is:

{
	"data": {
		"uid": "plugin::users-permissions.user",
		"plugin": "users-permissions",
		"apiID": "user",
		"schema": {
			"displayName": "User",
			"singularName": "user",
			"pluralName": "users",
			"description": "",
			"draftAndPublish": false,
			"kind": "collectionType",
			"collectionName": "up_users",
			"attributes": {
				"username": {
					"type": "string",
					"minLength": 3,
					"unique": true,
					"configurable": false,
					"required": true
				},
				"email": {
					"type": "email",
					"minLength": 6,
					"configurable": false,
					"required": true
				},
				"provider": {
					"type": "string",
					"configurable": false
				},
				"password": {
					"type": "password",
					"minLength": 6,
					"configurable": false,
					"private": true
				},
				"resetPasswordToken": {
					"type": "string",
					"configurable": false,
					"private": true
				},
				"confirmationToken": {
					"type": "string",
					"configurable": false,
					"private": true
				},
				"confirmed": {
					"type": "boolean",
					"default": false,
					"configurable": false
				},
				"blocked": {
					"type": "boolean",
					"default": false,
					"configurable": false
				},
				"role": {
					"type": "relation",
					"relation": "manyToOne",
					"target": "plugin::users-permissions.role",
					"inversedBy": "users",
					"configurable": false,
					"targetAttribute": "users",
					"private": false
				},
				"articles": {
					"type": "relation",
					"relation": "oneToMany",
					"target": "api::article.article",
					"mappedBy": "author",
					"targetAttribute": "author",
					"private": false
				},
				"instagramUsername": {
					"type": "string"
				},
				"youTubeUsername": {
					"type": "string"
				},
				"spotifyUsername": {
					"type": "string"
				},
				"facebookUsername": {
					"type": "string"
				},
				"twitterUsername": {
					"type": "string"
				},
				"discordUsername": {
					"type": "string"
				},
				"avatar": {
					"type": "media",
					"multiple": true,
					"required": false,
					"allowedTypes": [
						"images",
						"files",
						"videos",
						"audios"
					]
				},
				"biography": {
					"type": "text"
				}
			},
			"visible": true,
			"restrictRelationsTo": null
		}
	}
}

In the documentation, it says the following:

"Using API tokens allows executing a request on REST API endpoints as an authenticated user."

So I am not sure why this setting exists for the API Token, because it overrides the "authenticated user" settings. It would be great if there was an API Token specific user-type (So Authenticated User, API Token, and Public by default) that had its own permissions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: enhancement Issue suggesting an enhancement to an existing feature source: core:strapi Source is core/strapi package
Projects
Developer Experience Squad
Status: To be reviewed (Open)
FR/EN review
Status: To Review
Support team
Status: Enhancement
Milestone
No milestone
Development

No branches or pull requests
3 participants
@derrickmehaffy @alucav @rodgeraraujo