Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is the option api_token implemented ? #322

Open
bnbc opened this issue Mar 4, 2023 · 13 comments
Open

Is the option api_token implemented ? #322

bnbc opened this issue Mar 4, 2023 · 13 comments

Comments

@bnbc
Copy link

bnbc commented Mar 4, 2023

Hello, i have read this issue : #254

And i want to know if an option to set Strapi api token is now available ? i don't see it in the documentation.

Meanwhile i will use useStrapiClient, like that (not tested) :

const client = useStrapiClient()

await client('/articles', {
  method: 'GET',
  headers: {
    'Authorization': 'Bearer ' + token,
  }
})
@jiblett1000
Copy link
Contributor

@bnbc I've opened a PR. Still waiting to hear back.

#318

Copy link
Member

Hello @bnbc,

I've given feedback here #254 (comment) and here #326 (comment), could you please explain your use-case for this feature?

@bnbc
Copy link
Author

bnbc commented Mar 8, 2023

Hello @benjamincanac

Instead of doing that :

const runtimeConfig = useRuntimeConfig()
const client = useStrapiClient()

const articles = await client<Strapi4Response<Article>>('/articles?populate=*', {
    method: 'GET',
    headers: {
        'Authorization': 'Bearer ' + runtimeConfig.strapiToken,
    }
})

I just feel better to have possibility to set a api_token option:

strapi: {   
        url: process.env.STRAPI_URL,
        apiToken: process.env.STRAPI_TOKEN,      
},

And use basic calls of your module like that :

const { find } = useStrapi()
const response = await find<Article>('articles')

Nice job !

Copy link
Member

@bnbc Why would you use an api token to fetch your articles? Can't you just set the articles.find permission to Public?

@bnbc
Copy link
Author

bnbc commented Mar 8, 2023

Ok i'm new on Strapi (v4) and i just see how to put permissions to Public like you say.

But is not the default configuration, one of the first steps is to create an api token to protect data access.
I think is a good practice, i don't want anyone can access my data api (for security reason, performance reason)

So that why i was suprised when i dont see token params in the options of your module, cause for me is mandatory (but no)

Maybe is just my opinion and my concepts but it feels logic for me :)

Copy link
Member

We're not implementing this api token feature because if we do, your api token will be leaked and accessible to all users as it will show up in the browser request headers.

@bnbc
Copy link
Author

bnbc commented Mar 8, 2023

Oh yes il feel stupid :/ i dont realize was so easy to get the token.

So i will protect my API access with IP rules.

Thks

@gwynhokkers
Copy link

I'm a bit confused as to why you wouldn't use the API tokens in this way? You can create them as read only - which is fine, plus how else are you meant to restrict access other than doing what @bnbc suggests and restrict by IP address?
On some web app hosting we don't have access to restrict the api by ip address, plus if you dont have static ip addresses for the frontend how are you meant to do so?

Copy link
Member

@gwynhokkers Do you have a use-case where you need an API token that won't be leaked? Maybe I'm missing something here

@wanxe
Copy link

wanxe commented Oct 16, 2023

If i'm not wrong, the API token is not exposed when use static builds. So unless the API is used to make the call at runtime, the token is not exposed. But of course... if it is restricted by IP it is much safer.

@philipimperato
Copy link

philipimperato commented Jan 22, 2024

Use case:

You don't want public access to your API unless it's you who is querying it for static builds.

Isn't that what you would always use an API key?

This more or less renders this entire package useless for those who want to use an API token, unless I'm missing something.

@ChinYoung
Copy link

All entries have to be "public access" without the support for API token, as @philipimperato has metioned, at some case we need the token to authenticate before the query.
And for the leaking problem, SSR is necessary when query with API token, to make the query happens at the server side.

@Mackeul
Copy link

Mackeul commented Jul 19, 2024

I believe I may have a use case for implementing this feature.

We use static site generation + server-side dynamic routes for 3rd party APIs that the user would interact with (ie. Stripe payments). However, we don't want the site to have any dependencies on Strapi when it is live, hence SSG. We would also prefer to lock down Public access to Strapi completely and only allow API access via API token for security reasons.

This all works great once deployed, however to run a new build when something changes, we have no way to provide the build with the api token so that it can fetch the data to create the static pages. The only way for the build to work is to have Public access to the data it tries to retrieve enabled. I've tried adding apiToken to the strapi section of nuxt.config.ts, but that didn't seem to make any difference and given this discussion, it doesn't seem to be possible? Maybe there is a way to do this that I haven't found yet?

So the desired behaviour I am looking for is to have a way to provide the build with the necessary API token for it to fetch Strapi data and populate the static page, and then once deployed the token information is not part of the static page at all and therefore not at risk. Hope this all makes sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants