Calling M2 REST API from browser for anonymous users












0















I'm trying to call REST endpoints from the browser. Initially, I'd like to be able to fetch product information.



It looks like session-based authorization is what I'm after.



I started by grabbing a Javascript swagger client from npm.



Now I'm trying to make a simple call to fetch products (I have but one in my local site currently).



m2.catalogProductRepositoryV1GetListGet().done((rsp) => {
console.log('Products: ', rsp.body)
});


However, I'm getting a 401. Then I see this note in that same session-based-auth doc mentioned above




Customers can access resources that are configured with anonymous or
self permission in the webapi.xml configuration file.




So I look in vendor/magento/module-catalog/etc/webapi.xml



<route url="/V1/products" method="GET">
<service class="MagentoCatalogApiProductRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Catalog::products" />
</resources>
</route>


Notice no anonymous or self permission here. Now I'm thinking really? Products are not allowed to be consumed by the browser out of the box?



I'm understand Magento_Catalog::products refers to a Resource Model. I'm now trying to define and ACL, however, I'm unsure how to associate the ACL with public (not-logged in) users.










share|improve this question





























    0















    I'm trying to call REST endpoints from the browser. Initially, I'd like to be able to fetch product information.



    It looks like session-based authorization is what I'm after.



    I started by grabbing a Javascript swagger client from npm.



    Now I'm trying to make a simple call to fetch products (I have but one in my local site currently).



    m2.catalogProductRepositoryV1GetListGet().done((rsp) => {
    console.log('Products: ', rsp.body)
    });


    However, I'm getting a 401. Then I see this note in that same session-based-auth doc mentioned above




    Customers can access resources that are configured with anonymous or
    self permission in the webapi.xml configuration file.




    So I look in vendor/magento/module-catalog/etc/webapi.xml



    <route url="/V1/products" method="GET">
    <service class="MagentoCatalogApiProductRepositoryInterface" method="getList"/>
    <resources>
    <resource ref="Magento_Catalog::products" />
    </resources>
    </route>


    Notice no anonymous or self permission here. Now I'm thinking really? Products are not allowed to be consumed by the browser out of the box?



    I'm understand Magento_Catalog::products refers to a Resource Model. I'm now trying to define and ACL, however, I'm unsure how to associate the ACL with public (not-logged in) users.










    share|improve this question



























      0












      0








      0








      I'm trying to call REST endpoints from the browser. Initially, I'd like to be able to fetch product information.



      It looks like session-based authorization is what I'm after.



      I started by grabbing a Javascript swagger client from npm.



      Now I'm trying to make a simple call to fetch products (I have but one in my local site currently).



      m2.catalogProductRepositoryV1GetListGet().done((rsp) => {
      console.log('Products: ', rsp.body)
      });


      However, I'm getting a 401. Then I see this note in that same session-based-auth doc mentioned above




      Customers can access resources that are configured with anonymous or
      self permission in the webapi.xml configuration file.




      So I look in vendor/magento/module-catalog/etc/webapi.xml



      <route url="/V1/products" method="GET">
      <service class="MagentoCatalogApiProductRepositoryInterface" method="getList"/>
      <resources>
      <resource ref="Magento_Catalog::products" />
      </resources>
      </route>


      Notice no anonymous or self permission here. Now I'm thinking really? Products are not allowed to be consumed by the browser out of the box?



      I'm understand Magento_Catalog::products refers to a Resource Model. I'm now trying to define and ACL, however, I'm unsure how to associate the ACL with public (not-logged in) users.










      share|improve this question
















      I'm trying to call REST endpoints from the browser. Initially, I'd like to be able to fetch product information.



      It looks like session-based authorization is what I'm after.



      I started by grabbing a Javascript swagger client from npm.



      Now I'm trying to make a simple call to fetch products (I have but one in my local site currently).



      m2.catalogProductRepositoryV1GetListGet().done((rsp) => {
      console.log('Products: ', rsp.body)
      });


      However, I'm getting a 401. Then I see this note in that same session-based-auth doc mentioned above




      Customers can access resources that are configured with anonymous or
      self permission in the webapi.xml configuration file.




      So I look in vendor/magento/module-catalog/etc/webapi.xml



      <route url="/V1/products" method="GET">
      <service class="MagentoCatalogApiProductRepositoryInterface" method="getList"/>
      <resources>
      <resource ref="Magento_Catalog::products" />
      </resources>
      </route>


      Notice no anonymous or self permission here. Now I'm thinking really? Products are not allowed to be consumed by the browser out of the box?



      I'm understand Magento_Catalog::products refers to a Resource Model. I'm now trying to define and ACL, however, I'm unsure how to associate the ACL with public (not-logged in) users.







      ajax rest-api swagger






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 10 mins ago







      quickshiftin

















      asked 6 hours ago









      quickshiftinquickshiftin

      871925




      871925






















          1 Answer
          1






          active

          oldest

          votes


















          0














          You can create an API clone from that API:



          <route url="/V1/all_products" method="GET">
          <service class="{{your calss}}" method="getList"/>
          <resources>
          <resource ref="annoymous" />
          </resources>




          After that, call your api and you can get them from anywhere without permission.






          share|improve this answer
























          • Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

            – quickshiftin
            51 mins ago











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "479"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f258211%2fcalling-m2-rest-api-from-browser-for-anonymous-users%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          You can create an API clone from that API:



          <route url="/V1/all_products" method="GET">
          <service class="{{your calss}}" method="getList"/>
          <resources>
          <resource ref="annoymous" />
          </resources>




          After that, call your api and you can get them from anywhere without permission.






          share|improve this answer
























          • Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

            – quickshiftin
            51 mins ago
















          0














          You can create an API clone from that API:



          <route url="/V1/all_products" method="GET">
          <service class="{{your calss}}" method="getList"/>
          <resources>
          <resource ref="annoymous" />
          </resources>




          After that, call your api and you can get them from anywhere without permission.






          share|improve this answer
























          • Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

            – quickshiftin
            51 mins ago














          0












          0








          0







          You can create an API clone from that API:



          <route url="/V1/all_products" method="GET">
          <service class="{{your calss}}" method="getList"/>
          <resources>
          <resource ref="annoymous" />
          </resources>




          After that, call your api and you can get them from anywhere without permission.






          share|improve this answer













          You can create an API clone from that API:



          <route url="/V1/all_products" method="GET">
          <service class="{{your calss}}" method="getList"/>
          <resources>
          <resource ref="annoymous" />
          </resources>




          After that, call your api and you can get them from anywhere without permission.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 3 hours ago









          the lightthe light

          1




          1













          • Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

            – quickshiftin
            51 mins ago



















          • Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

            – quickshiftin
            51 mins ago

















          Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

          – quickshiftin
          51 mins ago





          Thanks for your answer! While this might work it is less than ideal for a couple of reasons: 1. LOTS of code duplication, 2. Client library needs to be hacked to change URLs for EVERY endpoint

          – quickshiftin
          51 mins ago


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Magento Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f258211%2fcalling-m2-rest-api-from-browser-for-anonymous-users%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Magento 2 controller redirect on button click in phtml file

          Polycentropodidae