Access Token being checked even on endpoints not calling access_token_required!

[jalexbrun]

I call access_token_required! in several of my api endpoints, but not in the UserLogin endpoints.

if I do the following

   mount Api::UserLogin
   mount Api::SomeOtherEndpoint

I get a 401 error when attempting to log in, even though access_token_required! is not being used in that file.

If I do the following instead

   include Grape::OAuth2.api

   mount Api::SomeOtherEndpoint

Then the user login controller is called without checking for an access token.

[gencer]

Same here. Authentication processed regardless access_token_required! is given or not.

Update: This is probably caused Middleware that inject itself calls Bearer "authorization" method automatically. When that happens, Grape thinks you want authentication.

For the time being, the only workaround is using include in only specific endpoints. I hope we can get @nbulaj' s attention here.

[nbulaj]

@johnbrun09 @gencer thanks for the reporting, I will check it ASAP.

[nbulaj]

@johnbrun09 can yo please provide full code listing for the module where you are injecting include Grape::OAuth2.api ? I can't guess if you get a 401 error without the gem injection or with..

[gencer]

Since no reply made. Let me gave you mine:

  module V2
    class Base < Grape::API
      version 'v2', using: :path, vendor: 'test'
      format :json
      # prefix :api

      include Grape::OAuth2.api
      mount V2::Query
      # ... other mounts

    end
  end

 module V2
   class Query < Grape::API
       # all actions in this class requires authentication. No matter you give :access_token_required! or not.
   end
 end

[nbulaj]

@gencer @johnbrun09 what am I doing wrong?

https://gist.github.com/nbulaj/ff3716d1043143c01b2237c4fa34517a

I've added two endpoints to simple Grape API, one public and one protected (after injecting Grape::OAuth2), and tested it with rackup and curl.

[gencer]

The gist you prepared is the same scheme I used. Only difference (not wrong) is how we used it.

For me; I use it with Rails5. Maybe Rails has something to do with this or some gem interfere?

Because, I am positively sure that mounting api endpoints after oauth.api, makes all mounts authenticable. But before them is public.

Should I prepare a skeleton/sample project for you maybe?

[nbulaj]

@gencer it will be great, because it's hard for me to find a concrete problem without knowing all the environment.

[nbulaj]

Hi @gencer . Any update here?

[gencer]

@nbulaj, I completely forgot about this. I was switched to doorkeeper at that time.

However, I just illustrated a sample on my end and it seems it just passes my test. However, I can't remember exactly what was my previous environment like which was failed as this issue stated 🤕.