Visual LANSA Forum

Good day,

I'm looking for opinions on how to deal with the REST API endpoint authentication in a scenario where it would require JWT validation if a user is logged in, and it would not if they are not logged in.

The few ways I could think of this working is either by:

- Setting Ignore Top Level Security in the endpoints to "checked" and then manually checking the JWT Token passed in the RDML for validity. No token means, the user is not logged in and an invalid token means it's a bad request.
- Creating a separate endpoint for each existing one and adding either "/auth" or "/secure" to it to differentiate between an authenticated and non-authenticated route. For example: "/orders/auth" - requires authentication and "/orders" - does not require authentication

All of our Server Module APis have already been built and mostly requires authentication. Just trying to think now of which method would be less-intrusive to the already built code, without compromising on the quality of the authentication structure and creating security risks.

The security at API Design tab is there to enforce it. And optionally ignore it.

If all your operations are going to be flagged as Ignore, then you might as well not do it using #com_home.<security>, but just reference via the HTTP Context.

Also, you don't have to use the "authorization" header for JWT. Some commercial endpoints pass it via their own private header fields. For instance Amazon Seller Central has JWT token passed into x-amz-access-token (see https://developer-docs.amazon.com/amazo ... artner-api)

Make the security what is needed for your circumstances. LANSA gives you some standard ways, but if it doesn't work for you, there are other techniques which are just as valid, and work just as well in LANSA.

Thanks for the response!

I agree with not using it if majority of the APIs will just have to set it to be ignored.

I'm gonna look into private header fields as that seems like a great idea for what we're trying to do.