Comments (8)
Authorization header is missing :
https://github.com/DLMousey/ZF3-Jwt-Api/blob/develop/module/Core/src/Service/AccessControlService.php#L65
from zf3-jwt-api.
I'm not quite sure i understand what the problem is,
['route' => '/api/navigation', 'protected' => true],
['route' => '/api/navigation/previous', 'protected' => true],
['route' => '/api/navigation/next', 'protected' => true],
In this config block you've declared that /api/navigation and it's child routes are protected, requiring a valid JWT to be provided to access them. I've just tested this out on a route with some child routes in case it was matching a child route that was the problem and all seemed to work fine.
As far as i can tell it's all working as intended, with a route marked as protected
returning a 401 if no credentials are provided when accessing it.
With regards to the authorization header missing, that'll be an issue in whatever you're using to interface with this API. In this instance i've provided a sample application that shows how the client side of things works, the Angular client.
A side note that might be useful for the future;
If you have a look in config/autoload/global.php
you'll find a setting for missing-access-control-behaviour
which defines how the access control service responds when a route is accessed that doesn't have an entry in the module's access-control
config.
By default this is set to MISSING_ACL_ENTRY_FAIL_CLOSED
, which means that any route not explicitly defined in the access-control
section of module.config.php
will require a valid JWT to access it.
If you want the opposite to be true (all routes allow guest access unless otherwise configured) you can change missing-access-control-behaviour
to MISSING_ACL_ENTRY_FAIL_OPEN
from zf3-jwt-api.
The issue is that i am loggedIn and token is properly forwarded into each request.
But i can't access child routes , because i get 401 error on OPTIONS request.
I can see Authorization key is missing from getallheaders() and that's why i get 401.
BUT it's an OPTIONS request, NOT a GET/POST so Authorization is not present.
from zf3-jwt-api.
I solved this issue:
When accessing child routes,`
We must not set acces control for these routes:
['route' => '/api/navigation', 'protected' => true],
#['route' => '/api/navigation/previous', 'protected' => true],
#['route' => '/api/navigation/next', 'protected' => true],
It works perfectly now!
from zf3-jwt-api.
This will trigger the fallback behaviour instead (that i mentioned in the last comment).
The issue is that the access control service is still running on OPTIONS requests, which shouldn't contain user credentials as specified in the spec.
from zf3-jwt-api.
Yes you're right.
I should define:
['route' => '/api/navigation/previous', 'protected' => true],
['route' => '/api/navigation/next', 'protected' => true],
But it doesn't work.
However, all OPTIONS requests works fine BUT child routes.
from zf3-jwt-api.
The solution would be to modify the access control service, or perhaps the API module to return the valid CORS headers (which the OPTIONS request is looking for) before the access control service runs.
This would need to run at a higher priority than the current logic.
Whether i actually implement this or not, i don't know - this repo's not been touched in over a year, for the most part it's abandoned.
from zf3-jwt-api.
I understand.
This module is the best to migrate a ZF3 application to REST API.
If you can't make the modification, i will use standard routes without child.
I can use the standard create(data) and dispatch with param action = previous/next.
It's not the correct way but it works.
from zf3-jwt-api.
Related Issues (7)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zf3-jwt-api.