Calling M2 REST API from browser for anonymous users












0















I'm trying to call REST endpoints from the browser. Initially, I'd like to be able to fetch product information.



It looks like session-based authorization is what I'm after.



I started by grabbing a Javascript swagger client from npm.



Now I'm trying to make a simple call to fetch products (I have but one in my local site currently).



m2.catalogProductRepositoryV1GetListGet().done((rsp) => {

  console.log('Products: ', rsp.body)

});


However, I'm getting a 401. Then I see this note in that same session-based-auth doc mentioned above




Customers can access resources that are configured with anonymous or
self permission in the webapi.xml configuration file.




So I look in vendor/magento/module-catalog/etc/webapi.xml



<route url="/V1/products" method="GET">

    <service class="MagentoCatalogApiProductRepositoryInterface" method="getList"/>

    <resources>

        <resource ref="Magento_Catalog::products" />

    </resources>

</route>


Notice no anonymous or self permission here. Now I'm thinking really? Products are not allowed to be consumed by the browser out of the box?



I'm understand Magento_Catalog::products refers to a Resource Model. I'm now trying to define and ACL, however, I'm unsure how to associate the ACL with public (not-logged in) users.






ajax rest-api swagger







share|improve this question





























    0















    I'm trying to call REST endpoints from the browser. Initially, I'd like to be able to fetch product information.



    It looks like session-based authorization is what I'm after.



    I started by grabbing a Javascript swagger client from npm.



    Now I'm trying to make a simple call to fetch products (I have but one in my local site currently).



    m2.catalogProductRepositoryV1GetListGet().done((rsp) => {
    
  console.log('Products: ', rsp.body)
    
});


    However, I'm getting a 401. Then I see this note in that same session-based-auth doc mentioned above




    Customers can access resources that are configured with anonymous or
    self permission in the webapi.xml configuration file.




    So I look in vendor/magento/module-catalog/etc/webapi.xml



    <route url="/V1/products" method="GET">
    
    <service class="MagentoCatalogApiProductRepositoryInterface" method="getList"/>
    
    <resources>
    
        <resource ref="Magento_Catalog::products" />
    
    </resources>
    
</route>


    Notice no anonymous or self permission here. Now I'm thinking really? Products are not allowed to be consumed by the browser out of the box?



    I'm understand Magento_Catalog::products refers to a Resource Model. I'm now trying to define and ACL, however, I'm unsure how to associate the ACL with public (not-logged in) users.






    ajax rest-api swagger







    share|improve this question



























      0












      0








      0








      I'm trying to call REST endpoints from the browser. Initially, I'd like to be able to fetch product information.



      It looks like session-based authorization is what I'm after.



      I started by grabbing a Javascript swagger client from npm.



      Now I'm trying to make a simple call to fetch products (I have but one in my local site currently).



      m2.catalogProductRepositoryV1GetListGet().done((rsp) => {
      
  console.log('Products: ', rsp.body)
      
});


      However, I'm getting a 401. Then I see this note in that same session-based-auth doc mentioned above




      Customers can access resources that are configured with anonymous or
      self permission in the webapi.xml configuration file.




      So I look in vendor/magento/module-catalog/etc/webapi.xml



      <route url="/V1/products" method="GET">
      
    <service class="MagentoCatalogApiProductRepositoryInterface" method="getList"/>
      
    <resources>
      
        <resource ref="Magento_Catalog::products" />
      
    </resources>
      
</route>


      Notice no anonymous or self permission here. Now I'm thinking really? Products are not allowed to be consumed by the browser out of the box?



      I'm understand Magento_Catalog::products refers to a Resource Model. I'm now trying to define and ACL, however, I'm unsure how to associate the ACL with public (not-logged in) users.






      ajax rest-api swagger







      share|improve this question
















      I'm trying to call REST endpoints from the browser. Initially, I'd like to be able to fetch product information.



      It looks like session-based authorization is what I'm after.



      I started by grabbing a Javascript swagger client from npm.



      Now I'm trying to make a simple call to fetch products (I have but one in my local site currently).



      m2.catalogProductRepositoryV1GetListGet().done((rsp) => {
      
  console.log('Products: ', rsp.body)
      
});


      However, I'm getting a 401. Then I see this note in that same session-based-auth doc mentioned above




      Customers can access resources that are configured with anonymous or
      self permission in the webapi.xml configuration file.




      So I look in vendor/magento/module-catalog/etc/webapi.xml



      <route url="/V1/products" method="GET">
      
    <service class="MagentoCatalogApiProductRepositoryInterface" method="getList"/>
      
    <resources>
      
        <resource ref="Magento_Catalog::products" />
      
    </resources>
      
</route>


      Notice no anonymous or self permission here. Now I'm thinking really? Products are not allowed to be consumed by the browser out of the box?



      I'm understand Magento_Catalog::products refers to a Resource Model. I'm now trying to define and ACL, however, I'm unsure how to associate the ACL with public (not-logged in) users.






      ajax rest-api swagger




      ajax rest-api swagger






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 10 mins ago







      quickshiftin

















      asked 6 hours ago









      quickshiftinquickshiftin

      871925




      871925






















          1 Answer
          1






          active

          oldest

          votes


















          0














          You can create an API clone from that API:



          <route url="/V1/all_products" method="GET">
          
<service class="{{your calss}}" method="getList"/>
          
<resources>
          
    <resource ref="annoymous" />
          
</resources>




          After that, call your api and you can get them from anywhere without permission.






          share|improve this answer
























          • Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

            – quickshiftin
            51 mins ago











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "479"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f258211%2fcalling-m2-rest-api-from-browser-for-anonymous-users%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          You can create an API clone from that API:



          <route url="/V1/all_products" method="GET">
          
<service class="{{your calss}}" method="getList"/>
          
<resources>
          
    <resource ref="annoymous" />
          
</resources>




          After that, call your api and you can get them from anywhere without permission.






          share|improve this answer
























          • Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

            – quickshiftin
            51 mins ago
















          0














          You can create an API clone from that API:



          <route url="/V1/all_products" method="GET">
          
<service class="{{your calss}}" method="getList"/>
          
<resources>
          
    <resource ref="annoymous" />
          
</resources>




          After that, call your api and you can get them from anywhere without permission.






          share|improve this answer
























          • Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

            – quickshiftin
            51 mins ago














          0












          0








          0







          You can create an API clone from that API:



          <route url="/V1/all_products" method="GET">
          
<service class="{{your calss}}" method="getList"/>
          
<resources>
          
    <resource ref="annoymous" />
          
</resources>




          After that, call your api and you can get them from anywhere without permission.






          share|improve this answer













          You can create an API clone from that API:



          <route url="/V1/all_products" method="GET">
          
<service class="{{your calss}}" method="getList"/>
          
<resources>
          
    <resource ref="annoymous" />
          
</resources>




          After that, call your api and you can get them from anywhere without permission.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 3 hours ago









          the lightthe light

          1




          1













          • Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

            – quickshiftin
            51 mins ago



















          • Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

            – quickshiftin
            51 mins ago

















          Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

          – quickshiftin
          51 mins ago





          Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

          – quickshiftin
          51 mins ago


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Magento Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f258211%2fcalling-m2-rest-api-from-browser-for-anonymous-users%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Polycentropodidae

          Image
          Polycentropodidae Plectrocnemia conspersa Siyentipiko nga pagklasipika Ginhadi-an: Animalia Phylum: Arthropoda Ubosphylum: Hexapoda Klase: Insecta Orden: Trichoptera Labawbanay: Hydropsychoidea Banay: Polycentropodidae Binomial nga ngaran Polycentropodidae An Polycentropodidae [1] in uska familia han Insecta. An Polycentropodidae in nahilalakip ha familia nga Hydropsychoidea, ordo nga Trichoptera, classis nga Insecta, punoan nga Arthropoda, ngan regnum nga Animalia. [1] An familia nga Polycentropodidae in naglalakip hin 660 ka mga species, sumala ha Catalogue of Life [1] . An kladograma hini sumala ha Catalogue of Life [1] : Hydropsychoidea   Polycentropodidae  Adectophylax Antillopsyche Cernotina Cyrnellus Cyrnodes Cyrnopsis Cyrnus Eodipseudopsis Eoneureclipsis Holocentropus Kambaitipsyche Neucentropus
          Read more

          Magento 2 Error message: Invalid state change requested

          Image
          2 1 I've created custom Rest API for adding and removing products from cart. I am able to add and delete products from my cart, but when I log in as a customer, I can't add or delete products from cart. API throws message: Invalid state change requested. How can I solve this? magento2 share | improve this question edited Mar 15 '18 at 13:02 Bare Feet 1,561 1 7 32 asked Mar 15 '18 at 12:50 Prabhu M. Prabhu M. 18 5
          Read more

          Paulmy

          Image
          An Paulmy amo in usa ka komyun ha departamento han Indre-et-Loire ngan ha Rehiyon Sentro ha nasod han Fransya. k h l Mga komyun ha departamento han Indre-et-Loire Abilly  · Ambillou  · Amboise  · Anché  · Antogny-le-Tillac  · Artannes-sur-Indre  · Assay  · Athée-sur-Cher  · Autrèche  · Auzouer-en-Touraine  · Avoine  · Avon-les-Roches  · Avrillé-les-Ponceaux  · Azay-le-Rideau  · Azay-sur-Cher  · Azay-sur-Indre  · Ballan-Miré  · Barrou  · Beaulieu-lès-Loches  · Beaumont-en-Véron  · Beaumont-la-Ronce  · Beaumont-Village  · Benais  · Berthenay  · Betz-le-Château  · Bléré  · Bossay-sur-Claise  · Bossée  · Le Boulay  · Bourgueil  · Bournan  · Boussay  · Braslou  · Braye-sous-Faye  · Braye-sur-Maulne  · Brèches  · Bréhémont  · Bridoré  · Brizay  · Bueil-en-Touraine  · Candes-Saint-Martin  · Cangey  · La Celle-Guenand  · La Celle-Saint-Avant  · Céré-la-Ronde  · Cerelles  · Chambon  ·
          Read more