13

I always got "You are requesting with an invalid credential." but I need to have a public endpoint specifically "view" action that everybody can access whitout send access token and keep the other actions with token validation

This is part of my Api controller:

/**
 * @inheritdoc
 */
public function behaviors()
{
    return [
        'contentNegotiator' => [
            'class' => ContentNegotiator::className(),
            'formats' => [
                'application/json' => Response::FORMAT_JSON,
                //'application/xml' => Response::FORMAT_XML,
            ],
        ],
        'verbFilter' => [
            'class' => VerbFilter::className(),
            'actions' => $this->verbs(),
        ],
        'access' => [
            'class' => AccessControl::className(),
            'only' => ['view'],
            'rules' => [
                [
                    'actions' => ['view'],
                    'allow' => true,
                    'roles' => ['?'],
                ],
            ],
        ],
        'authenticator' => [
            'class' => CompositeAuth::className(),
            'authMethods' => [
                HttpBasicAuth::className(),
                HttpBearerAuth::className(),
                QueryParamAuth::className(),
            ],
        ],
        'rateLimiter' => [
            'class' => RateLimiter::className(),
        ],
    ];
}

I try using:

'access' => [
     'class' => AccessControl::className(),
     'only' => ['view'],
     'rules' => [
         [
             'actions' => ['view'],
             'allow' => true,
             'roles' => ['?'],
         ],
    ],

],

But the authenticator behavior does not allow that my view action are a public action

gsalgadotoledo
  • 2,666
  • 1
  • 25
  • 22

2 Answers2

19

I found the solutions is just using 'only' or 'except' key on the authenticator behavior 

'authenticator' => [
            'class' => CompositeAuth::className(),
            'except' => ['view'],
            'authMethods' => [
                HttpBasicAuth::className(),
                HttpBearerAuth::className(),
                QueryParamAuth::className(),
            ],
        ],

Source: https://github.com/yiisoft/yii2/issues/4575 https://github.com/yiisoft/yii2/blob/master/docs/guide/structure-filters.md#using-filters-

Thanks, Enjoy Yii2 and REST ;)

gsalgadotoledo
  • 2,666
  • 1
  • 25
  • 22
0

There is two property to bypass authenticator on actions 1. only => bypass the rest of action in array configured 2. except => bypass only configured in array

public function behaviors()
{
    $behaviors = parent::behaviors();
    $behaviors['authenticator'] = [
        'class' => CompositeAuth::className(),
        'except' => ['login', 'register','regenerate'],
        //'only'=>['index'],
        'authMethods' => [
            [
                'class' => HttpBasicAuth::className(),
                'auth' => function ($username, $password) {
                    $user = User::findByLogin($username);
                    return $user->validatePassword($password)
                        ? $user
                        : null;
                }
            ],
            HttpBearerAuth::className(),
            QueryParamAuth::className()
        ],
    ];
    return $behaviors;
}
Kalpesh Desai
  • 1,405
  • 15
  • 17