I am able to execute "EchoString" even though I am not authenticated.
Having a look at the TJwtMiddleware.ProcessRequest checks for ForbidAnonymousAccess, but when I enable this, I cant even open Swagger or execute my Login.
e.g fXDataModule.AddMiddleware(TJwtMiddleware.Create(DEFAULT_SECRET,true));
Am I missing something else in the implementation?
The documentation allows for both approaches. It can be at function or class level.
[ServiceContract]
IMyService = interface(IInvokable)
['{80A69E6E-CA89-41B5-A854-DFC412503FEA}']
function NonRestricted: string;
[Authorize]
function Restricted: string;
end;
and
[ServiceContract]
[Authorize]
IMyService = interface(IInvokable)
['{80A69E6E-CA89-41B5-A854-DFC412503FEA}']
function Restricted: string;
function AlsoRestricted: string;
end;
I have however noticed the following in the documentation as well.
WARNING
Regardless if the token exists or not and the User property is set or not, the middleware will forward the processing of the request to your server. It's up to you to check if user is present in the request or not. If you want the token to prevent non-authenticated requests to be processed, set its ForbidAnonymousAccess to true.
Does this mean I should implement an additional middleware that checks for the bearer token in the header, but only if it is not my logon service? I was hoping that this logic would be handled by the TJwtMiddleware or is this way before the attribute is validated?