Accessing APIs from both application and postman - team and token verification

[pranavig]

Continuing from Previous Issue

Hi, I want one of the APIs to be also used with a postman / curl along with website session access.

If I generate the API key from login and use it with postman, its only working once. the second call throws the unauthorised error. Is there a way to generate long running tokens in this saas-starter-kit ?

Additionally, the pages/api/** files have validation for team verification like below. How does this work for postman API calls ? I don't want to comment out this code as the web application still needs this validation.

const teamMember = await throwIfNoTeamAccess(req, res);
throwIfNotAllowed(teamMember, 'team_member', 'read');

Is there any other alternative to implement this approach ?

[deepakprabhakara]

The API keys generated don’t have any expiry until you delete them. Can you debug it to see where that unauthorised call is coming from and why.

[SindhuZelar]

Hi,
yes ,we have debugged the issue
like there are two things
Firstly we do not have session token to pass through middleware.ts

and same thing happens in
const teamMember = await throwIfNoTeamAccess(req, res); throwIfNotAllowed(teamMember, 'team_member', 'read');
as it has getSession functionality

we tried fetching session token from browser , but it says unauthorized in postman
also tried by giving JWTToken (payload and secret) it says unauthorized

secondly, even i give APIKEY in my authorization header in the curl, and use throwIfNoAcessApiKey for vallidation, it needs user info which comes from session token

simply, could you please give us exact curl to test in postman to get all Teams, It would be of help then we can replicate the same for our api's

[deepakprabhakara]

You will have to customize middleware.ts to suit your needs for the new API routes, for instance we do something like this:-

  // Admin API routes
  if (micromatch.isMatch(pathname, ['/api/admin/**'])) {
    if (!(await isValidAdminAPIKey(req))) {
      return NextResponse.json(
        { error: { message: 'Unauthorized' } },
        { status: 401 }
      );
    }

    return NextResponse.next();
  }

The customized isValidAdminAPIKey checks for the API key in the Authorization header and also runs it through throwIfNoAccessToApiKey as needed.

[SindhuZelar]

Hi,
I have customized middleware and checked, here i can only vallidate(throwIfNoAccessToApiKey) with team Id using api key
but going forward in my api's need to check for const teamMember = await throwIfNoTeamAccess(req, res); throwIfNotAllowed(teamMember, 'team_member', 'read');
because it checks for the requested person is in Team Member and also whether is allowed for REST operation
for this i need user info which is not coming from api key table except team Id.

please suggest if i am missing something here .
is there any alternative or inbuilt solution as we want to do some POST operations externally

[deepakprabhakara]

Currently API keys are associated with the team, if you need it to be associated with users then you will have to made modifications to the schema and functionality.

[SindhuZelar]

ok. Thank you