Service isn't requiring login to access


#1

I have a service that is allowing access without actually handing off a token value. How do I fix this? It acts like it doesn’t allow guest access if I don’t add in the authentication type header, but if I hand it that header without the token it just doesn’t care.

curl -X GET --header “Accept: application/json” --header “X-DreamFactory-Api-Key: 36fda24fe5588fa4285ac6c6c2fdfbdb6b6bc9834699774c9bf777f706d05a88” --header “Authorization: Basic ekBnLmNvbTphYmMxMjM=” http://localhost:8082/api/v2/jfani_db/_schema

Returns:

{“resource”:[{“name”:“clients”},{“name”:“Collateral”},{“name”:“Contracts”},{“name”:“debts”},{“name”:“LoanPackageHistory”},{“name”:“Loans”},{“name”:“Notes”},{“name”:“Packages”},{“name”:“Payments”},{“name”:“Tasks”}]}

while

curl -X GET --header “Accept: application/json” --header “X-DreamFactory-Api-Key: 36fda24fe5588fa4285ac6c6c2fdfbdb6b6bc9834699774c9bf777f706d05a88” http://localhost:8082/api/v2/jfani_db/_schema

returns:

{“error”:{“context”:null,“message”:“No session token (JWT) provided. Please provide a valid JWT using X-DreamFactory-Session-Token request header or ‘session_token’ url query parameter.”,“code”:400}}

Like it is supposed to. The first example should be returning this same value because there is no valid token being passed.


#2

In addition, this is my only active CORS setting.


#3

False alarm guys. I figured it all out.

I didn’t understand that the authorization basic header is a base64_encode of the username and password and is used as a secondary method for authentication. I also didn’t understand that the default role on an application was the default role used for an un-authenticated user, I thought it was the role used when a new user is created. So, I removed default roles from the application and we are good now.