Access denied (401) for actions other that getList() or create() about zf3-jwt-api HOT 8 CLOSED

Authorization header is missing :
https://github.com/DLMousey/ZF3-Jwt-Api/blob/develop/module/Core/src/Service/AccessControlService.php#L65

from zf3-jwt-api.

I'm not quite sure i understand what the problem is,

['route' => '/api/navigation', 'protected' => true],
['route' => '/api/navigation/previous', 'protected' => true],
['route' => '/api/navigation/next', 'protected' => true],

In this config block you've declared that /api/navigation and it's child routes are protected, requiring a valid JWT to be provided to access them. I've just tested this out on a route with some child routes in case it was matching a child route that was the problem and all seemed to work fine.

As far as i can tell it's all working as intended, with a route marked as protected returning a 401 if no credentials are provided when accessing it.

With regards to the authorization header missing, that'll be an issue in whatever you're using to interface with this API. In this instance i've provided a sample application that shows how the client side of things works, the Angular client.

A side note that might be useful for the future;
If you have a look in config/autoload/global.php you'll find a setting for missing-access-control-behaviour which defines how the access control service responds when a route is accessed that doesn't have an entry in the module's access-control config.

By default this is set to MISSING_ACL_ENTRY_FAIL_CLOSED, which means that any route not explicitly defined in the access-control section of module.config.php will require a valid JWT to access it.

If you want the opposite to be true (all routes allow guest access unless otherwise configured) you can change missing-access-control-behaviour to MISSING_ACL_ENTRY_FAIL_OPEN

from zf3-jwt-api.

The issue is that i am loggedIn and token is properly forwarded into each request.
But i can't access child routes , because i get 401 error on OPTIONS request.
I can see Authorization key is missing from getallheaders() and that's why i get 401.
BUT it's an OPTIONS request, NOT a GET/POST so Authorization is not present.

from zf3-jwt-api.

I solved this issue:
When accessing child routes,`
We must not set acces control for these routes:

['route' => '/api/navigation', 'protected' => true],
#['route' => '/api/navigation/previous', 'protected' => true],
#['route' => '/api/navigation/next', 'protected' => true],

It works perfectly now!

from zf3-jwt-api.

This will trigger the fallback behaviour instead (that i mentioned in the last comment).

The issue is that the access control service is still running on OPTIONS requests, which shouldn't contain user credentials as specified in the spec.

from zf3-jwt-api.

Yes you're right.
I should define:
['route' => '/api/navigation/previous', 'protected' => true],
['route' => '/api/navigation/next', 'protected' => true],

But it doesn't work.
However, all OPTIONS requests works fine BUT child routes.

from zf3-jwt-api.

The solution would be to modify the access control service, or perhaps the API module to return the valid CORS headers (which the OPTIONS request is looking for) before the access control service runs.

This would need to run at a higher priority than the current logic.
Whether i actually implement this or not, i don't know - this repo's not been touched in over a year, for the most part it's abandoned.

from zf3-jwt-api.

I understand.
This module is the best to migrate a ZF3 application to REST API.
If you can't make the modification, i will use standard routes without child.
I can use the standard create(data) and dispatch with param action = previous/next.
It's not the correct way but it works.

from zf3-jwt-api.