From 470101a99e4cea3b2d63e9cb0b312e3dc573ca52 Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Thu, 15 Apr 2021 19:24:56 -0700 Subject: [PATCH] authx - Accept API keys by default Overview -------- This slightly relaxes the default settings so that it is easier to use `authx` as a replacement for `extern/rest.php` (which uses the `api_key` for authentication). Before ------ `extern/rest.php` accepts `api_key`s. `authx` can accept `api_key`s, but you have to change some settings to allow it. After ----- Both `extern/rest.php` and `authx` accept `api_key`s by default. Comments ----------------- The defaults in authx were designed to be a bit paranoid. The basic goal -- don't let anyone open up access accidentally. However, the current protections are a bit of overkill. Suppose you've created an `api_key` (sufficient for `extern/rest.php`) and you want to switch to using `civicrm/ajax/*`. Here are the sysadmin tasks: 1. Enable `authx` (*It's inert otherwise.*) 2. Grant the user permission `authenticate via api key`, or convey the `SITE_KEY` to the user, or disable all `authx_guards` 3. Update the setting `authx_header_cred` or `authx_xheader_cred` or `authx_param_cred` to allow `api_key` Notably, when this default was first chosen during drafting, the `authx_guards` (step 2) didn't exist. But now they do, and we have even more steps to go through. This change relaxes the defaults so that step `#3` is not necessary. This arrangement is still fairly paranoid (ie we still have 1+2 -- compared to `extern/rest.php`, there's still an extra opt-in hoop). --- ext/authx/settings/authx.setting.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ext/authx/settings/authx.setting.php b/ext/authx/settings/authx.setting.php index 8df39f62fff4..8d679529cc21 100644 --- a/ext/authx/settings/authx.setting.php +++ b/ext/authx/settings/authx.setting.php @@ -76,6 +76,11 @@ ], ]; } + + $s['authx_param_cred']['default'] = ['jwt', 'api_key']; + $s['authx_header_cred']['default'] = ['jwt', 'api_key']; + $s['authx_xheader_cred']['default'] = ['jwt', 'api_key']; + return $s; };