Service isn't requiring login to access

I have a service that is allowing access without actually handing off a token value. How do I fix this? It acts like it doesn’t allow guest access if I don’t add in the authentication type header, but if I hand it that header without the token it just doesn’t care.

curl -X GET --header “Accept: application/json” --header “X-DreamFactory-Api-Key: 36fda24fe5588fa4285ac6c6c2fdfbdb6b6bc9834699774c9bf777f706d05a88” --header “Authorization: Basic ekBnLmNvbTphYmMxMjM=” http://localhost:8082/api/v2/jfani_db/_schema

Returns:

{“resource”:[{“name”:“clients”},{“name”:“Collateral”},{“name”:“Contracts”},{“name”:“debts”},{“name”:“LoanPackageHistory”},{“name”:“Loans”},{“name”:“Notes”},{“name”:“Packages”},{“name”:“Payments”},{“name”:“Tasks”}]}

while

curl -X GET --header “Accept: application/json” --header “X-DreamFactory-Api-Key: 36fda24fe5588fa4285ac6c6c2fdfbdb6b6bc9834699774c9bf777f706d05a88” http://localhost:8082/api/v2/jfani_db/_schema

returns:

{“error”:{“context”:null,“message”:“No session token (JWT) provided. Please provide a valid JWT using X-DreamFactory-Session-Token request header or ‘session_token’ url query parameter.”,“code”:400}}

Like it is supposed to. The first example should be returning this same value because there is no valid token being passed.

In addition, this is my only active CORS setting.

False alarm guys. I figured it all out.

I didn’t understand that the authorization basic header is a base64_encode of the username and password and is used as a secondary method for authentication. I also didn’t understand that the default role on an application was the default role used for an un-authenticated user, I thought it was the role used when a new user is created. So, I removed default roles from the application and we are good now.

1 Like