Is there a bug on the authorization part?
A user with role “Admin” is able to call and get results from API set as follow
New-UDEndpoint -Url ‘/whoami’ -AuthorizedRole ‘test’ -Method GET -Endpoint {
return [PSCustomObject]@{
UserName = $user
} | ConvertTo-Json
}
Am I doing something wrong?
Thanks
Sounds like a bug. Can you open an issue for this on GitHub and I’ll look into it today.
It does look like there is a test in place for this scenario that is passing. Can you post more of your REST API or compare it to the below code?
$AdminEndpoint = New-UDEndpoint -Url "admin" -Method "GET" -endpoint {
"Admin"
} -AuthorizedRole "Admin"
$UserEndpoint = New-UDEndpoint -Url "notAdmin" -Method "GET" -endpoint {
"User"
} -AuthorizedRole @("Admin", "User")
$Server = Start-UDRestApi -Port 10001 -Endpoint @($AdminEndpoint, $UserEndpoint) -AuthenticationMethod (
New-UDAuthenticationMethod -Issuer "Adam"
)
It "should return admin to admin" {
$Token = Grant-UDJsonWebToken -UserName "adam" -Role "Admin" -Issuer "Adam"
Invoke-RestMethod http://localhost:10001/api/admin -Headers @{ Authorization = "Bearer $Token" } -ContentType "application/json" | should be "Admin"
}
It "should not return admin to user" {
$Token = Grant-UDJsonWebToken -UserName "adam" -Role "User" -Issuer "Adam"
try {
Invoke-RestMethod http://localhost:10001/api/admin -Headers @{ Authorization = "Bearer $Token" } -ContentType "application/json"
$true | should be $false
}
catch {
}
}
It "should return user to user" {
$Token = Grant-UDJsonWebToken -UserName "adam" -Role "User" -Issuer "Adam"
Invoke-RestMethod http://localhost:10001/api/notAdmin -Headers @{ Authorization = "Bearer $Token" } -ContentType "application/json" | should be "User"
}
It "should return user to admin" {
$Token = Grant-UDJsonWebToken -UserName "adam" -Role "Admin" -Issuer "Adam"
Invoke-RestMethod http://localhost:10001/api/notAdmin -Headers @{ Authorization = "Bearer $Token" } -ContentType "application/json" | should be "User"
}