I’ve made my own API_Actions but it seems, that the user is not validated against the token, so every token (expired or not) works - what am I missing?
The sample in the docu shows no security validation so I thought this is handled like the other REST Apis
Thank you for your quick answer. I added the PedraApiController.php file with the following code. is it ok?
<?php
// PedraApiController.php
namespace {ProjectNamespace}; // NOTE: Make sure you use {ProjectNamespace}
use Psr\Container\ContainerInterface;
use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Message\ResponseInterface as Response;
use {ProjectNamespace}\Attributes\Delete;
use {ProjectNamespace}\Attributes\Get;
use {ProjectNamespace}\Attributes\Map;
use {ProjectNamespace}\Attributes\Options;
use {ProjectNamespace}\Attributes\Patch;
use {ProjectNamespace}\Attributes\Post;
use {ProjectNamespace}\Attributes\Put;
/**
* My API controller
*/
class PedraApiController extends AbstractController
{
$app->post('/getLetterTemplates', function ($request, $response) {
$params = $request->getParsedBody();
... rest of the code ...
})->add(JwtMiddleware::class);
}
JwtMiddleware only decodes the JWT token (if any) and tries to log user it, it does not (un)authorize user because it does not have any info about the permissions of your own API actions. If you want to authorize the user, you need to do it yourself. For example, if you want to check the user’s user level, you can check Security()->currentUserLevelID(). If the user is not allowed, you should return a 401 response.