API endpoint authentication

Radish Kitten

7 months ago

Good morning, we're a bit new to Payload and currently trying to set everything up (only the backend right now in order to migrate data over).

Anyway, we noticed that by default, any API endpoint (i.e: /api/pages/) is publicly viewable. We'd like to prevent this from happening and I've checked out

https://payloadcms.com/docs/authentication/operations

but still not too sure how to do this, unfortunately.

In the meantime, since we're hosting our payload backend on Azure app service, I've added Authentication there so at least that's working for us 🙂

thisisnotchris
7 months ago
Hello @Radish Kitten !

You want to setup up Access Control for your collections

https://payloadcms.com/docs/access-control/collections

For instance, if you have your Pages Collection
```
const Pages: CollectionConfig = {
  slug: "pages",
  access: {
    create: ({ req: { user } }) => { ... },
    read: ({ req: { user } }) => { ... },
    update: ({ req: { user } }) => { ... },
    delete: ({ req: { user } }) => { ... },
    admin: ({ req: { user } }) => { ... },
  },
};
```
Each type of operation in access (create, read, etc) has a function as its value

The function should return a boolean

Some folks implement role-based access and have slightly more complex access logic

If you can elaborate on how you want the access to work, I can suggest a configuration
noheadphones
7 months ago
^^^

And if you need helper plugins, I'll shill mine and another one:

https://github.com/NouanceLabs/payload-simple-rbac
https://www.npmjs.com/package/payload-rbac
Radish Kitten
7 months ago
Oh yeah @noheadphones we definitely used yours at first but then we somewhat copied what payload itself uses, which is defining roles in /access/ and referencing them later on in Pages.ts

access: { read: (isAdminOrHasSiteAccessOrPublished || isTech), create: (isAdminOrHasSiteAccess('id') || isTech), update: (isAdminOrHasSiteAccess('id') || isTech), delete: isAdmin,
noheadphones
7 months ago
interesting, im up for updating my plugin with further utilities if it stays within the scope of its simplicity...what limitations did you have?
Radish Kitten
7 months ago
@noheadphones I think one of my devs just preferred the cleaner look 🙂 No biggie
noheadphones
7 months ago
thats actually the main reason i didnt do anything complex for mine...with payload its much easier to roll your own solution than to have an overengineered plugin that might still not do everything you need

Open the post

Continue the discussion in Discord

Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.