Hi,
Is it possible to hide Model Metadata from public access when using service operations?
Yes, it's possible. Just create service operations for the same URLs you want to hide, for example, add the unit below to your project to hide both $model and also the root (/) endpoint.
Don't forget to set the TXDataServer.RoutingPrecedence property to TXDataRoutingPrecedence.Service before starting the server.
unit HideDefaultService;
interface
uses
XData.Service.Common, XData.Server.Module;
type
[ServiceContract]
[Route('')]
IHideDefaultService = interface(IInvokable)
['{5A863594-C286-47E6-AE12-7E5612095F3A}']
[HttpGet, Route('')]
procedure Root;
[HttpGet, Route('$model')]
procedure Model;
end;
[ServiceImplementation]
THideDefaultService = class(TInterfacedObject, IHideDefaultService)
procedure Root;
procedure Model;
end;
implementation
{ THideDefaultService }
procedure THideDefaultService.Model;
begin
TXDataOperationContext.Current.Handler.SetStatusCode(404);
TXDataOperationContext.Current.Handler.Response.Close;
end;
procedure THideDefaultService.Root;
begin
TXDataOperationContext.Current.Handler.SetStatusCode(404);
TXDataOperationContext.Current.Handler.Response.Close;
end;
initialization
RegisterServiceType(THideDefaultService);
end.
Hi,
It is hiding the model however when the login form is shown (uDbcontroller.pas from template) it returns the following message and I can't access the services.
The /$model endpoint is needed if you want to use TXDataWebConnection and TXDataWebClient from a TMS Web Core application. In this case you should reenable the endpoint.
Hi Wagner,
Thank you for the clarification.
Is it possible to add authentication (different from JWT auth) to this servicepoint?
It might be, with several workarounds, but which benefit this would bring?
The endpoint is being requested from the web browser, whatever the authentication might be, users can easily check the request and see it, or even retrieve the authentication token and make the requests themselves anyway.
With user+password authentication it could be hidden for webscrapers or direct access.
Perhaps enable restriction certain InstantTypes and Controllers when not being authenticated.
Or allow encryption of models via XData.
You don't need a different authentication scheme for that. Just use the same authentication you use for the other endpoints.
When I do that login is not possible because an JWT token must already be available.
I don't understand what you mean by that.
In any case, again, I don't see a point in protecting something that does not need to be protected.
The alternative is disable $model and do not use TXDataWebConnection, just use regular HTTP requests from the browser.
Thank you. I will do that.
Similar to TXDataWebConnection download the complete model? - #9 by Monterisi_Stefano I don't want the model be available to the public.