adrian

adrian

Protecting the API

Hello,

I am creating my first Ash Json API with Phoenix.

I am playing with swagger, and I have some questions.

  1. How can I add authentication and authorization? Is it derived from AshAuthentication policies?
  2. How can I get the bearer to test the API authorization?

If I define a policy like this one:

  policies do
    policy always() do
      forbid_if always()
    end
  end

Note I am using this policy only for testing purposes

  1. In the GET action for listing all the items without any API key, it returns a 200 response with an empty list. Shouldn’t be a 401 instead?

I want to return 401 to all API calls that are not authorized using a bearer, and a 403 response to HTTP calls not allowed—for example, a resource owned by another actor.

Thanks!

Marked As Solved

zachdaniel

zachdaniel

Creator of Ash

If you want to forbid anyone without a bearer token that is best done in a plug in your router.

Are you using AshAuthentication?

Read actions apply policies by filtering by default. This protects from various security problems.You can change that by setting access_type :strict in the policy, but I suggest sticking with the default.

If you want to enforce in each resource or domain (policies can also go on the domain) you can add a policy like this:

policies do
  policy actor_absent() do
    access_type :strict
    forbid_if always()
  end

  ...rest of policies
end

Also Liked

adrian

adrian

Thanks @zachdaniel !

Where Next?

Popular in Questions Top

skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
hariharasudhan94
lets say i have a sample like a = 20; b = 10; if (a > b) do {:ok, "a"} end if (a < b) do {:ok, b} end if (a == b) do {:ok, "equa...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
lucidguppy
I have a super simple question about elixir - how would I take a file like this foo bar baz and output a new file that enumerates th...
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
joaquinalcerro
Hi there, I am working with Ecto-Postgresql and I need to call all of the records from a specific table but the table has 40,000 records...
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New

Other popular topics Top

danschultzer
None of the current solutions worked well for me, so I went ahead and built a user management system from scratch. This project took far...
548 29377 241
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
AstonJ
Posting this to see if we can make things easier for people to get into Neovim. If you use Neovim and have a favourite distro please let ...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New

We're in Beta

About us Mission Statement