Exposing custom script services publicly

Hi all,

A quick question: Is it possible to expose a custom scripting service publicly (i.e. no session key or API key required)?

I know I can enable open registration and give access to the service to the default role, but then session and/or API keys are still necessary. How can I create a custom scripting service which can be queried without any authentication?

Thanks in advance!
Rafa

Hi @rbarriuso,

Currently, at minimum, you need to provide the API Key. And the App corresponding to that API Key must have a default role that allows access to your custom scripting service.

However, with a small change in the code you can achieve what you are looking for. Here is how it goes…

Open file app/Http/Middleware/AccessCheck.php and edit the static class property $exceptions to add your service.

The code looks like this…

protected static $exceptions = [
        [
            'verb_mask' => 31, //Allow all verbs
            'service'   => 'system',
            'resource'  => 'admin/session',
        ],
        [
            'verb_mask' => 31, //Allow all verbs
            'service'   => 'user',
            'resource'  => 'session',
        ],
        [
            'verb_mask' => 2, //Allow POST only
            'service'   => 'user',
            'resource'  => 'password',
        ],
        [
            'verb_mask' => 2, //Allow POST only
            'service'   => 'system',
            'resource'  => 'admin/password',
        ],
        [
            'verb_mask' => 1,
            'service'   => 'system',
            'resource'  => 'environment',
        ],
        [
            'verb_mask' => 15,
            'service'   => 'user',
            'resource'  => 'profile',
        ],
    ];

At the end of this exception array add exception for your service. Let’s say the name of your scripting service is ‘magic’. So, to make an exception for GET call to your ‘magic’ service you will need to add the following to this $exceptions array

        [
            'verb_mask' => 1,       //Allows GET call only
            'service'   => 'magic',
            'resource'  => '',         // Specify a resource if your service takes one or leave blank.
       ],

To allow all verbs for your service (GET, POST, PATCH, PUT, DELETE) use ‘31’ for verb_mask. To know more about VerbMasks see the file vendor/dreamfactory/df-core/src/Enums/VerbMask.php If your service takes a resource then specify the resource in the resource field. If your service takes multiple resources then you will need to add multiple exceptions into this array for other resources. After your edit the $exceptions array should look like this…

protected static $exceptions = [
        [
            'verb_mask' => 31, //Allow all verbs
            'service'   => 'system',
            'resource'  => 'admin/session',
        ],
        [
            'verb_mask' => 31, //Allow all verbs
            'service'   => 'user',
            'resource'  => 'session',
        ],
        [
            'verb_mask' => 2, //Allow POST only
            'service'   => 'user',
            'resource'  => 'password',
        ],
        [
            'verb_mask' => 2, //Allow POST only
            'service'   => 'system',
            'resource'  => 'admin/password',
        ],
        [
            'verb_mask' => 1,
            'service'   => 'system',
            'resource'  => 'environment',
        ],
        [
            'verb_mask' => 15,
            'service'   => 'user',
            'resource'  => 'profile',
        ],
        [
            'verb_mask' => 1,      //Allows GET verb only
            'service'   => 'magic',
            'resource'  => '',     // Specify a resource if your service takes one or leave blank.
       ],
    ];
1 Like

Thank you so much for the detailed answer!