Whitelisting an IP or domain to bypass need for authorisation


#1

hi,

Just starting to learn DF and I am trying to do something like this - I have 2 computers and on one of which Dreamfactory 2.1 is installed. I want the other computer to be able to call the REST API on dreamfactory without any additional need for authentication or authorization. This is because the first computer is just posting periodic data and is pretty secure. So I do not want DF to again do the validation. As a matter of fact the first computer can only call an URL and doesn’t have the ability to pass authorization credentials.

So I can allow REST API (POST method mainly) to be executed based on IP or domain white listing?

Thanks,
M.M


#2

at minimum, you must include an api key with all calls.
you can set up guest access (see: http://wiki.dreamfactory.com/DreamFactory/Tutorials/Setting_up_guest_access) which will allow access with api key only (no session information)
The api key can be included in the URL ( ?api_key=… ) so I believe this meets your requirements.


#3

That’s cool :thumbsup:

Cheers,
M.M


#4

And is there a possibility of passing parameters (payload) directly in the url? This is because the application that will call the DF REST API is proprietary and can only “execute” an URL with the data passed in the URL parameters itself.

I guess in the scripts I will be may be able to read the URL parameters and ‘transform’ the data? If yes then is there any links that you could point me to? Thanks once again

I am thinking it could be something similar to what’s explained in this video. But I was wondering if I could get some confirmation on whether thats the right approach: https://www.dreamfactory.com/resources/video/how-use-server-side-scripts

Cheers
M.M


#5

If I rephrase my question it’ll be like this: Say a proprietary application which is only capable of calling a URL will execute this URL https://subd.mydomain.com/api/v2/mydatabase/_table/mycollectionname?value1=100&value2=300?api_key=my_api_key and I would grab the parameters in the above URL in some kinda server script and insert it into MongoDB that is on another machine. I have set up the MongoDB connection as well as the guest access role.

Cheers,
M.M


#6

Alright I kinda got it - I’ll create a custom script for which I will create a guest access , for GET method only. Then in the custom script I will strip the parameters and see what’s required for me, and then use another POST method with different credentials to post the data to MongoDB. Thanks anyway

Cheers,
M.M


#7

That brings me to another simple question. What’s the ‘subtle’ difference between API and Script in the requestor? Thanks


#8

API is the requested URL directly. Script is whatever is defined and executed within DreamFactory.

For example, lets say I have a table XYZ. If I want to access the table directly, I need to give it API access (whatever verbs you need). But, lets say I need to access it through a Custom Scripting Service as well, I need to give it API access (for direct access) plus Script access (so that the Scripting Service can call it).

Hope this makes sense.


#9

Alright thanks…I get it :slight_smile: