You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems that setting DIRECTUS_SERVER_TOKEN in .env is not used and has no effect. (Or I don't understand how it is meant to be used.)
Some background: I am running Directus 11.2.1 with the Agency OS template and the latest frontend in docker containers. I installed the agency-os template under directus:10.11 and then upgraded sequentially to the latest directus. This worked great.
After upgrading to directus v11 permissions were restructured into roles and policies, as expected. I now have a Public role with the Public policy applied. There is also a Website API role and Website API policy with no permissions applied. I created a token for Website API to be used as DIRECTUS_SERVER_TOKEN.
Building the frontend works mostly as expected, with or without having a DIRECTUS_SERVER_TOKEN set in .env. I gather this is because the Public role has all the permissions.
For security in production, I would like to limit public access to the API by moving most permissions to the Website API user/role/policy. So I configured the Website API role to have the 'Public' policy, and then I limited the Public role to have only the required access to directus_files.
However with this setup there are access errors during build and the frontend returns a 404 error.
I am expecting that setting DIRECTUS_SERVER_TOKEN would provide the required access, but it doesn't seem to.
Any help or clarification would be appreciated ...
The text was updated successfully, but these errors were encountered:
It seems that setting DIRECTUS_SERVER_TOKEN in .env is not used and has no effect. (Or I don't understand how it is meant to be used.)
Some background: I am running Directus 11.2.1 with the Agency OS template and the latest frontend in docker containers. I installed the agency-os template under directus:10.11 and then upgraded sequentially to the latest directus. This worked great.
After upgrading to directus v11 permissions were restructured into roles and policies, as expected. I now have a Public role with the Public policy applied. There is also a Website API role and Website API policy with no permissions applied. I created a token for Website API to be used as DIRECTUS_SERVER_TOKEN.
Building the frontend works mostly as expected, with or without having a DIRECTUS_SERVER_TOKEN set in .env. I gather this is because the Public role has all the permissions.
For security in production, I would like to limit public access to the API by moving most permissions to the Website API user/role/policy. So I configured the Website API role to have the 'Public' policy, and then I limited the Public role to have only the required access to directus_files.
However with this setup there are access errors during build and the frontend returns a 404 error.
I am expecting that setting DIRECTUS_SERVER_TOKEN would provide the required access, but it doesn't seem to.
Any help or clarification would be appreciated ...
The text was updated successfully, but these errors were encountered: