Security Restrict Global Restriction on API actions

Hey everyone just a quick question. I was trying to think of a quicker and easier way (and hopefully more foolproof way) to ensure that all the actions that need protecting are protected. Rather than having to add the security restrict to each api workflow each time.

What I have done is added a Condition in the Global.Json which does a condition to see if the $server.url contains the path I am looking for. It will then run my security Restrict. Is this the best way to do this or is there a better way to do that please?

image981×261 16.7 KB

Thanks for reading!

Yes, that’s the way I do it too! High five

I use $_SERVER.PATH_INFO instead of $_SERVER.URL, and I use the .startsWith formatter rather than .contains. I suggest you do the same

Set Value pathinfo = {{ $_SERVER.PATH_INFO }}
Condition {{ pathinfo.startsWith("/api/admin") }}

I actually use an array to store the paths that need to be restricted, and then I use a Repeat step to iterate on each array element (each path that needs to be restricted) and check if it matches the current path

Also, see my initial discussion regarding this matter here:

Thanks Apple, seems like an improvement on my logic thanks . Glad I was on the right track at least.

hello @Apple!

Can you help me, please?

I have this action, did the way you suggested:

This "RunJS" just add values into an array:

let endpoints = []; // 

endpoints.push("/api/oauth");
endpoints.push("/oauth/login");
endpoints.push("/api/Security");
endpoints.push("/api/Admin/APIProject");

return endpoints

As I have too much folders, I choose to set the endpoints that don't need to be restricted to users (just testing).

I found that the startsWith is returning false even when the path match.

For example:

"endpoints": [
    "/api/oauth",
    "/oauth/login",
    "/api/Security",
    "/api/Admin/APIProject"
  ],
  "repeat_endpoints": [
    {
      "path_info": "/api/Admin/APIProject/List",
      "var_endpoint": "/api/oauth",
      "Verify": false
    },
    {
      "path_info": "/api/Admin/APIProject/List",
      "var_endpoint": "/oauth/login",
      "Verify": false
    },
    {
      "path_info": "/api/Admin/APIProject/List",
      "var_endpoint": "/api/Security",
      "Verify": false
    },
    {
      "path_info": "/api/Admin/APIProject/List",
      "var_endpoint": "/api/Admin/APIProject",
      "Verify": false
    }
  ]

What I'm doing wrong???
Thanks!

Hi Otavio,

Can you show the screenshot of the steps that give the example you shown?

Also notice the difference between "path_info" and "pathinfo", make sure you're using the correct variable name

You deleted your post, I guess you found the problem?

image1010×526 39.4 KB

@Apple you are fast!! LOL!!

yes, but still having problem in the global!

let endpoints = []; 

endpoints.push("/api/oauth");
endpoints.push("/oauth/login");
endpoints.push("/api/Security");
endpoints.push("/login");
endpoints.push("api/Scripts/StartsWith")

return endpoints

Screenshot 2024-12-03 at 10.28.01962×478 35.9 KB

Screenshot 2024-12-03 at 10.28.161000×232 20.4 KB

How many hours did you sleep today?

endpoints.push("api/Scripts/StartsWith")
// should be:
endpoints.push("/api/Scripts/StartsWith")

@Apple 4 hours... need to rest!!

let endpoints = []; 

endpoints.push("/api/oauth");
endpoints.push("/oauth/login");
endpoints.push("/api/Security");
endpoints.push("/login");
endpoints.push("/api/Scripts/StartsWith")

return endpoints

still the same:

Screenshot 2024-12-03 at 10.38.43830×240 18.6 KB

Do you want only logged-in users to be able to access /api/Scripts/StartsWith?

If so, you have to take out the ==false you put there in the Condition

no, the opposite! no logged-in users can access!

I'm not sure you can use Security Restrict step for that, you have to use Condition identity and use Response step to reject the request (if logged in [if identity], reject request)