0

What I want to create
I want to secure a web-page. I don't want someone to view it until they have logged in.

Say, I want to secure route

localhost:1337/shop

I know strapi provide authentication option for API and I am able to secure the route.

So until a GET request for localhost:1337/shop has a Autherization: Bearer 'Token' in its header, it will show a 403 error (which is definitely correct).

Problem

If I am making a GET request directly to localhost:1337/shop (directly means by just typing it in my browser's address bar), I cannot set the header and so is the 403 forbidden error appear there.

Solutions I have tried

I make the localhost:1337/shop to public api (remove find from authentication).

I have stored the jwtToken into cookies and I can fetch it on server ,but when I use below code on the server it throws an error saying.

Error: The model user can't be found

 strapi.query('user').find({ id: 1 }).then((result)=>{
 console.log(result)
}

I have not used the cookies in the above code but the problem is same.

I know I am definitely somewhere wrong in understanding the concepts of strapi.

Is there a better way to approach Cookies and authentication is Strapi.

Ayush Rajniwal
  • 85
  • 3
  • 10
  • 1
    Although I don't know Strapi, what you stated as a problem is actually normal and expected behaviour. You can use a rest client utility to manually invoke the api by passing whatever header (cookie, Authorization etc.) is required – Saptarshi Basu Dec 20 '19 at 03:11
  • @SaptarshiBasu, Thanks for looking into it. Can you please provide some reference on How to add that header? – Ayush Rajniwal Dec 20 '19 at 04:30
  • @SaptarshiBasu, Do you mean to say, I should create two API. One to get cookies from the user(which will contain JWT token) and then make a GET request to second API from the server using that token. – Ayush Rajniwal Dec 20 '19 at 04:36
  • Yeah. Close. Have a look at the OAuth2 RFC document - mainlly authorization code grant type, password credential grant type and client credential grant type and see which one fits your use case. Also refer to: https://stackoverflow.com/a/54011649/1235935 – Saptarshi Basu Dec 20 '19 at 05:36

1 Answers1

0

First of all, I don't understand why you need to access

localhost:1337/shop

from web browser itself. Your ultimate goal should be to hook it up to some Front end application like React.js/Next.js etc.

There could be these possible reasons for which you might be needed to access it from browser:

  1. You are testing the APIs during creation
  2. You want to hook it up to some custom FE server sitting on some other server/port.

For these reasons, you can test the APIs by using Postman or by using online API testing tools like reqbin for instance which allow you to add Authorization headers, and after testing is done, you can hook it up to the FE app like normal.

And the most simple one could be to make it public for the time while you are testing, and before deploying you can revert it back to normal (make it a protected endpoint)

Cookies Based Authentication?

Strapi doesn't support cookie based (server side) authentication by default, you have to store JWT token on client side ideally in Web Storage API and use that for later protected requests.

If you want to support cookies from a strapi server you need to update Auth Handler in strapi. Will get to more details around that if required!

Bilal Shafi
  • 166
  • 1
  • 10