Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
When creating an instance of the class, specify if authentication should be used. Auth will be used by default if an authentication option is provided. (Note: This has already been implemented)
On a per method basis, it should be possible to override this in order to specify if authentication should or should not be used.
Steps to reproduce
* Create an instance of the JsonApiClient with an authentication method configured.
* All subsequent fetch requests will use this authentication method with no way to override and make an anonymous request.
Proposed resolution
* The JsonApiClient GetOptions interface should accept a new disableAuthentication option.
* If disableAuthentication is true, the fetch request should not use authentication headers (this is likely controlled by the fetch method on the base class)
Remaining tasks
* Implement changes.
* Update docs.
* Add test coverage.
API changes
* JsonApiClient GetOptions interface will accept a new disableAuthentication option.
Issue fork api_client-3376940
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
brianperryComment #3
brianperryMarking this as postponed as we focus on the vertical slice POC.
Comment #4
brianperryComment #5
pratik_kambleDo we need option disable authentication for methods like Patch, Post, Delete? By default Drupal will require some authentication for these methods. Can you help understand what is expected out of this issue.
Or do we want to provide ability to pass authentication object per method?
Comment #6
brianperry@pratik_kamble good question. I can't imagine many cases where it would be a good idea to do this, but it is possible in the admin UI to do things like grant anonymous users permission to delete articles. In that case, would it be possible to use the DELETE method anonymously with JSON:API? If so, I think we should provide an option to disable authentication for all JavaScript methods regardless of http method used. If it is literally impossible to configure Drupal to allow JSON:API CRUD operations anonymously, then it seems like it would make sense to limit this to GET.
Does that help clarify?
Comment #7
brianperryComment #8
brianperryComment #10
brianperryComment #11
brianperryThis will conflict a bit with the changes in https://www.drupal.org/project/api_client/issues/3418939 Might be easier to merge that one first if that works out. The types there are an improvement.
Comment #12
brianperrySetting to needs work to integrate changes recently merged to canary.
Comment #13
pratik_kambleComment #14
pratik_kambleComment #15
brianperryLet's hold off on merging this one for now. Being able to stage a few releases will make it easier to test our publishing workflow.
Comment #16
brianperryMerging now that we have automation in place.