Hi,
I hope someone can point me in the right direction…
In my middleware I have an authentication setup for a normal login and an login with a token (API login), that works as expected.
When I want to access a page in my browser that is not allowed for the user role I’m begin redirected to the login page (wanted behavior) even when I’m logged in.
Now… When I access the API with an incorrect token I’m also begin redirected. How can I setup the authorization middleware in such a way that it throws a 403 when the API uses a wrong token? And… when the users tries to access a page that is not allowed he is being redirected?
I now have this in the Application.php
$middlewareQueue->add(new AuthenticationMiddleware($this));
$middlewareQueue->add(new AuthorizationMiddleware($this, [
'requireAuthorizationCheck' => false,
'unauthorizedHandler' => [
'className' => 'Authorization.CakeRedirect',
'url' => ['plugin' => false, 'controller' => 'Login', 'action' => 'index'],
'queryParam' => 'redirectUrl',
'exceptions' => [
\Authorization\Exception\MissingIdentityException::class,
\Authorization\Exception\ForbiddenException::class,
\Authorization\Exception\AuthorizationRequiredException::class,
],
],
]));
$middlewareQueue->add(new RequestAuthorizationMiddleware());
I have no clue how to “link” the exceptions with the normal website and the API prefix…
The API has a specific route section in the routes.php:
$routes->prefix('Api/V1', function (RouteBuilder $routes) {
$routes->setExtensions(['json', 'xml']);
$routes->fallbacks(DashedRoute::class);
});
Thanks for reading this and, hopefully, thank you for the input.