Optional Authentication in REST API

[sohaibmaroof]

Hi, I am trying to use Piranha and so far am loving the application!! Great work! One question is there any documentation or examples of using the Rest API and how to implement authentication for it. Basically I want to call API endpoint from my MVC project and pass an x-API-key to authenticate, but I do not know where I can configure it. Currently, if I try to call piranha api it redirects me to the login page. Thanks,

[sohaibmaroof]

Is there a way to disable authentication for Piranha API?

[tidyui]

Hi there! If you take a look here you can see what’s going on in the api package:

https://github.com/PiranhaCMS/piranha.core/tree/master/core/Piranha.WebApi

As you can see the complexity is EXTREMELY low in the controllers as they only expose the underlying api object from Piranha. I think it’s a good idea to be able to turn of security completely, but we encourage you to write your own api controllers in the meantime so you don’t have to wait for it be released!

Best regards

[lnaie]

The webapi endpoints could also use HMAC authorization for service to service calls: v5 proposal to start with: https://tools.ietf.org/html/draft-cavage-http-signatures-05; more info in v12: https://w3c-dvcg.github.io/http-signatures/.

[tidyui]

We would love to see contributions for the Api package as we don't have that much time near future to expand on it, we're working on a lot of other core features in the next couple of releases.

Best regards!

[lnaie]

Yes, I understand that. But it should be facilitated with at least a readme.md that provides guidance, intentions/goals, its role in the whole system, some ideas/roadmap. And hopefully that will answer most of the questions and be a place to start from.

Looking at the API module, as a new comer, it's hard to guess its purpose and how it's being used.

[tidyui]

Totally get that @lnaie. The problem here is of course that we don't use it ourselves in our projects, so we'd really appreciate input what use cases it should cover. My main intention when creating it was really as an example to show the simplicity in setting up a custom Api for your application, then it more or less got published to NuGet together with everything else.

I'd really love the idea of providing a good solid API-package so the platform can be setup as a complete headless solution with a click, but since most applications we build are integrated web applications I just don't know how security should be handled in the best possible way, and when it should be used to facilitate rich client applications in the best possible way.

We could also move the WebApi project into it's own repository for cleaner issue management and collaboration for the Api.

Best regards