2

Postgrest is rest API for postgreeSQL database. I am using postgrest v9.0.0 with the following config:

db-uri = "postgres://remote_worker:1HyiYai@localhost:5432/myDb"
db-schema = "public"
db-anon-role = "remote_worker"
jwt-secret = "1HyiYaiMTAAJ1pluZnBtAMnTUH19E3gg"
db-pool = 10
db-pool-timeout = 10
server-host = "!4"
server-port = 3000

I assumed that if I enter the jwt-secret parameter in the config, it will automatically lead to the fact that only jwt authorization will work.

However, I can make a request without authorization even just typing in the browser-> http://localhost:3000/myTable ?Id=eq.2. or in the command line-> curl http://localhost:3000/Kits

At the same time when I make a request with the authorization parameter for example curl http://localhost:3000/Kits -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoicmVtb3RlX3dvcmtlciJ9.wAzG0zeHPYBflP4PhipUh0W8pvPLCbOQ2M4NFNTOSgc " then the request passes only if the token is correct.

How can I disable anonymous execution of a request?

user2749279
  • 51
  • 1
  • 5

1 Answers1

4

When you didn't use a jwt token the role used is always the db-anon-role. So depending on you database settings, this role can have a read access to the schema and display the response for the query.

If you want to have only authorized user you need to create a new user on your DB, remove the right on the schema for db-anon user and let only the new user with the usage on the schema.

the following postgres setting should work:

create role web_anon nologin;
create role authenticator
grant web_anon to authenticator;

create role rest_api nologin;
grant rest_api to authenticator;

create database "mydb" with owner rest_api

postgrest conf:

db-uri = "postgres://authenticator:omni123@localhost:5432/mydb"
db-schema = "public"
db-anon-role = "web_anon"

The default user web_anon don't have access to mybd all request with the token should work if you add the "role" rest_api in the jwt token as described in the documentation on postgrest https://postgrest.org/en/stable/tutorials/tut1.html#tut1

cnaimi
  • 484
  • 6
  • 10
  • 1
    Thank you. There is a little subtlety here. The web_anon role does not need to be created. You can write in the config:db-anon-role = "fake" And everything will work. – user2749279 Jan 16 '22 at 05:25