What are the Slack Archives?

Itโ€™s a history of our time together in the Slack Community! Thereโ€™s a ton of knowledge in here, so feel free to search through the archives for a possible answer to your question.

Because this space is not active, you wonโ€™t be able to create a new post or comment here. If you have a question or want to start a discussion about something, head over to our categories and pick one to post in! You can always refer back to a post from Slack Archives if needed; just copy the link to use it as a reference..

Hello. I have few questions about Glue API. 1. Is there any way to restrict API access for users? Fo

U0145CP9Q6Q
U0145CP9Q6Q Posts: 123 ๐Ÿง‘๐Ÿปโ€๐Ÿš€ - Cadet

Hello. I have few questions about Glue API.
1. Is there any way to restrict API access for users? For example i want to give access only to orders API for certain user. How can i do it? As i see you have user roles but this only for backend users. And to access API with token you are using frontend users.
2. Why authentication is made using frontend users? Theoretically in this case each user, that has been registered in the shop can fetch any data using API. Even with access token. Or am I missing smth?
Thanks

Comments

  • Eugenia Poidenko
    Eugenia Poidenko Sprykee Posts: 145 ๐Ÿง‘๐Ÿปโ€๐Ÿš€ - Cadet

    Hey Alex!

    In general Glue API is a storefront API, so guest customer or a registered customer (what you call a frontend user) is the actor there, just like in yves. It will be automatically restricted to seeing only the things that are available without any restrictions (like products or categories - anyone opening a website can access that) or only those available to him (order placed by the customer, her addresses or profile info)

    Restricting the access per customer is not OOTB, it can be implemented with the ControllerBeforeActionPluginInterface
    You can also look at what customer access feature is offering, but I do not think it will cover your case since it is meant to forbid guest customers access.

  • Eugenia Poidenko
    Eugenia Poidenko Sprykee Posts: 145 ๐Ÿง‘๐Ÿปโ€๐Ÿš€ - Cadet

    I do not get what you mean by fetch any data using API . Sure it is the case. This is what we mean it to be like

  • UUNC9U61H
    UUNC9U61H Posts: 4 ๐Ÿง‘๐Ÿปโ€๐Ÿš€ - Cadet

    i mean that if iโ€™m a registered customer and i know the endpoint i can fetch orders from other users, other customers data.

  • UUNC9U61H
    UUNC9U61H Posts: 4 ๐Ÿง‘๐Ÿปโ€๐Ÿš€ - Cadet

    it is not very secure, or?

  • Valerii Trots
    Valerii Trots SRE @ Spryker Sprykee Posts: 1,654 โœจ - Novice

    How is it possible? Have you tried it on your own?

  • Valerii Trots
    Valerii Trots SRE @ Spryker Sprykee Posts: 1,654 โœจ - Novice

    Trying to get a resource of another customer (in this case - order) you'll get something like

    {
        "errors": [
            {
                "code": "801",
                "status": 404,
                "detail": "Can't find order by the given order reference"
            }
        ]
    }
    
  • UUNC9U61H
    UUNC9U61H Posts: 4 ๐Ÿง‘๐Ÿปโ€๐Ÿš€ - Cadet

    ah yeah. i missunderstood the Eugeniaโ€™s answer.
    but you dont have backend api at all right?

  • Valerii Trots
    Valerii Trots SRE @ Spryker Sprykee Posts: 1,654 โœจ - Novice

    We have Zed API which is Beta but is useful with some additional efforts. @UKJSE6T47 could give more info here.

  • Andriy Netseplyayev
    Andriy Netseplyayev Domain Lead Solution Architecture Sprykee Posts: 519 ๐Ÿง‘๐Ÿปโ€๐Ÿš€ - Cadet

    backend api (also order management) is on the roadmap at the moment, thatโ€™s correct!

  • UUNC9U61H
    UUNC9U61H Posts: 4 ๐Ÿง‘๐Ÿปโ€๐Ÿš€ - Cadet

    ok. thanks. now everything is clear. i thought that glue api is backend api. that is why i asked such questions