50

I am working with strapi and i am getting an error 403 Forbidden on calling an api e.g http://localhost:1337/data

I've called all the APIs and the result is same 403 error I've tried it with postman also.

In the api route.js file i have this:

 {
      "method": "GET",
      "path": "/data",
      "handler": "data.find",
      "config": {
        "policies": []
      }

Strapi server is localhost port:1337

A GET call from browser http://localhost:1337/data

I have a collection of data in mongodb it should give the json document but it is giving this Error:{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

Kalnode
  • 9,386
  • 3
  • 34
  • 62
user3699398
  • 501
  • 1
  • 5
  • 4

6 Answers6

106

Access this URL: http://localhost:1337/admin/settings/users-permissions/roles. This is where you can manage permissions.

Find the Public role section. Inside it, you'll see Application permission. In this section, ensure that findone and find are checked. This setup is required for an API to work with a frontend application.

A word of caution: avoid enabling more permissions than necessary. When you enable permissions in the Public role, everyone can access them. It's similar to using chmod 777 on a Unix system, but possibly more harmful because it's available on the web. The best practice is to always limit permissions as much as possible.

igloczek
  • 1,200
  • 1
  • 7
  • 7
39

Did you updated your security rules from the Users and Permissions plugin?

http://localhost:1337/admin/plugins/users-permissions/

Pierre
  • 986
  • 8
  • 13
  • 1
    yes i updated it to public now it is working, but please tell me the call of getting auth token so i can send request with admin credentials and token to acces api – user3699398 Jan 02 '19 at 11:25
  • @Pierre I am using Frola editor to upload images in the admin panel, I have replaced the default editor but it will not upload images unless the file upload plugin is set to allow public to upload. How to allow only admins to upload? – Muhammad Dec 28 '19 at 06:30
17

2021 answer, any time you get a 403 error in Strapi, it is ALWAYS, ALWAYS something to do with permissions plugin. You need to think about what type of user you are at the moment, public or authenticated, or any other one you set up. Then you should check for which permissions you are giving access to under permissions, below is an example of my issues and how I resolved it.

I was having this issue with just getting authenticated from postman and I found the problem after a few hours of trial and error. For anyone that is having authentication error 403 when you are just trying to login. When you are trying to get authenticated while logging in, you are a public user at the moment, not an authenticated user. Therefor you need to allow a public user to make an authentication request. go to settings, under "Users and Permissions Plugin", "Roles", "Authenticated", "Permissions", "Users-Permissions", "Auth" and make sure that "callback" is checked! Then make your request from Postman and you should get a jwt back!

http://localhost:1337/admin/settings/users-permissions/roles/1

POST request to URL: http://localhost:1337/auth/local/

{
  "identifier": "reader@strapi.io",
  "password": "strapi"
}
Eggcellentos
  • 1,570
  • 1
  • 18
  • 25
Tellisense
  • 1,858
  • 12
  • 11
  • 1
    Thank you! I was having problems logging in, apparently I changed the "Public" role user permissions settings. Like you said when logging in, you are a Public user until authenticated, so the "Public" role must have "connect" and "callback" checked. under "Users and Permissions Plugin", "Roles", "Public", "Permissions", "Users-Permissions", "Auth" and make sure that "callback" and "connect" are checked! Then make your request from Postman and you should get a jwt back! – jasenmichael Apr 12 '21 at 15:45
  • 1
    This was it for me. Thanks a million! – Luke Davis Oct 19 '21 at 21:45
2

Make sure JWT_SECRET and ADMIN_JWT_SECRET exist and are different

This may not directly help the OP, but it did clear up my Strapi 403 error.

I was getting 403 "invalid credentials" errors when making authenticated requests to Strapi API, after successful login. The same requests worked fine anonymous users and API permissions were identical for all roles.

Solution: Ultimately the issue in my case was that, in my .env file, JWT_SECRET and ADMIN_JWT_SECRET were identical (I was lazy), and Strapi seemed to have an issue with that. And on a sidenote, on my remote host I neglected to include JWT_SECRET in my env.

  1. Define explicit env variables for both
  2. Make sure they are different strings

config/server.js

module.exports = ({ env }) => ({
    admin: {
        auth: {
            secret: env('ADMIN_JWT_SECRET')
        }
    }
})

extensions/user-permissions/config/jwt.js

module.exports = {
    jwtSecret: process.env.JWT_SECRET
}

.env

JWT_SECRET=someLongSecretPassphrase
ADMIN_JWT_SECRET=aDifferentLongSecretPassphrase

Discussion here: https://github.com/strapi/documentation/issues/14

Kalnode
  • 9,386
  • 3
  • 34
  • 62
0

As per the error message MongoDB has nothing to do with this. you are getting 403 this mean access issue with this URL. The user may not have access to http://localhost:1337/data. This is a service layer issue

TheSprinter
  • 1,523
  • 17
  • 30
0

Strapi api returning 403, strapi has token authentication, you have to create a token at your content admin. after create token, try {Authorization :Bearer "your token". http://localhost:1337/api/your_contents. can reference here

Yewin
  • 160
  • 1
  • 7
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Sep 17 '22 at 01:45