I've been tasked with "turning off the [rest] API" as our application does not require a valid session identifier or other credentials to access portions of the application. So we're looking to restrict access to Global's URLs however inspecting the documentation I'm unable to find anything about "turning off the API"

any help would be appreciated

notchrlast year
Morning
@1075816381200736306
- I think the REST api is used in interal requests, right?

I've been able to overwrite default REST routes for a collection with something more specific

Otherwise I would change the permissions of the collection

But disabling the whole REST api? Not sure about that one

It's a good question though
alessiogr
last year
It would only make sense if you want to disable the admin panel as well

Cause yea, the admin panel does make rest api requests
notchrlast year
BTW to add to this with a scenario

(And this probably could have been built better on my end)

We had a "Resume" collection to allow people to upload documents

We didn't want them to have accounts, but we did want them to be able to return to their submission and make edits if needed

So they fill out a form and upload a document, this creates a Resume record

Then using an email hook, we send them their unique resume ID via email. They click a link to confirm their email is legit, and they can then use that ID to access their resume again online

The issue is, we dont want people to hit /resumes and get a list of everyone's resume

But we also dont want to overwrite the main /get call for that collection (admin panel would bug out)

So the option was to restrict access, and create a custom endpoint that stepped over the permissions where needed
jamesryandevlast year
Thanks all for this BTW

the query was about blocking public, non-authenticated users access to the api endpoints

changing the permissions of a collection is something i will look into
```
const apiPathRegex = /^\/api(\/|$)/i;
const disallowedPathsRegex = /^\/api\/globals\/[^/?]+$/i;

const isApiUrl = (req: any) => apiPathRegex.test(req.url);
const isDisallowedUrl = (req: any) => disallowedPathsRegex.test(req.url);

export const accessApiMiddleware = (req: any, res: any, next: any): void => {
    console.log('req.url', req.url);
    if (isApiUrl(req) && isDisallowedUrl(req)) {
        console.log('banned Url --> req.url', req.url);

        console.log(isApiUrl(req))
        console.log(isDisallowedUrl(req))
        res.send(401, 'Unauthorized');
        return;
    }

    next();
};
```
in the end this worked as the regex /^/api/globals/[^/?]+$/i matches URLs that start with "/api/globals/", followed by one or more characters that are not a slash ("/") or a question mark ("?"), and then end. This means it will match any URL that is exactly "/api/globals/<anything>", but not URLs that have additional paths or query parameters.

With this solution, URLs such as "/api/globals/publicaccess" or "/api/globals/public-access" would be blocked, but "/api/globals/footerMenu?locale=en&fallback-locale=null&depth=0&draft=true" or "/api/globals/footerMenu/access" would not be blocked.

@360823574644129795
and
@1049775120559898725
thanks for answering my query, even getting replies was encouraging and supportive

maybe its our payload system but
https://website/api/globals/original-policy-provider-options
as an example is publically available

so we needed to redirect the user

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.