authenticate an exposed REST API

authenticate an exposed REST API

  

I'm trying to add basic authentication to an exposed REST API.

According to the documentation the created OnAuthentication action will handle the authentication. And if an exception is raised, the request is aborted.

https://success.outsystems.com/Documentation/10/Extensibility_and_Integration/REST/Expose_REST_APIs/Add_Basic_Authentication_to_an_Exposed_REST_API

This is however not happening. First of all when the OnAuthentication action was created it didn't contain a user_login action. When I build my own logic in there to raise an exception (see below), it still isn't working. The exception is being raised on an invalid password. However after the OnAuthentication it just continues. It will start the REST API Method, instead of aborting. Despite the authentication just failed.

Abort Transaction is set to yes.
So why is this authentication method not aborting on an invalid login?

Any thoughts?

Solution

Hello Paul, as you can see bellow, when you change authentication type to Basic of your API, platform create automatically OnAuthentication method for you with two parameters (Username, Password). Using this two parameters you need to implement your own logic of authentication.



It's important to note that you can't put inside this method a handler exception, because when you do this you silence the exeption, this is why your api don't stop, you need to raise exception not silent it, so remove the exeption handler.


About AbortTransaction property of ExceptionHandler like bellow:


This property has nothing to do with abandoning webservice execution, it only abandons all database modifications within the transaction in progress, that is, database rollback.


Solution

Alexandre Costa wrote:

It's important to note that you can't put inside this method a handler exception, because when you do this you silence the exeption, this is why your api don't stop, you need to raise exception not silent it, so remove the exeption handler.

Hello Alexandre, 

Thank you for your extensive answer.

I got a question about how to raise the exception. So if I understand you correctly I just need to remove the handling of the exception?

What happens then is that the progress is indeed stopped. However with an http status error 500.
Preferably the system gives an error 401. Indicating there was an authentication error, instead of a server error. Is that possible?


Thank you for your reply.

I've move the SetStatusCode action (used to set a http status 401) from the exception path to the normal flow. As the exception path need to be removed based on Alexandre's comments.

Paul. wrote:

Alexandre Costa wrote:

It's important to note that you can't put inside this method a handler exception, because when you do this you silence the exeption, this is why your api don't stop, you need to raise exception not silent it, so remove the exeption handler.

Hello Alexandre, 

Thank you for your extensive answer.

I got a question about how to raise the exception. So if I understand you correctly I just need to remove the handling of the exception?

What happens then is that the progress is indeed stopped. However with an http status error 500.
Preferably the system gives an error 401. Indicating there was an authentication error, instead of a server error. Is that possible?


Hello Paul, yes your understand correctly, just remove handling of exception and yes is possible to customize your response status code, before raise exception you need to use SetStatusCode function. I hope this helps.