APISIX allows developers to expose public APIs in the plugins. By
default, every client can access the API.

Currently, we can protect these public APIs by the plugin interceptors.
https://apisix.apache.org/docs/apisix/plugin-interceptors

There is a problem with the plugin interceptors: you need to implement
them by yourself.

So here comes a new idea:
We can introduce a new plugin called 'public-api' to forward the
public API, for example:

```
$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -i -X PUT -d '
{
    "plugins": {
        "ip-restriction": {
                "whitelist": ["10.0.0.0/24"]
        },
       "public-api": {
       }
    },
    "uri": "/apisix/my_plugin/api"
}'
```

First of all, we need to make the regular routes match happen before
the API routes.
Then, when handling the 'public-api' plugin, we will do API routes
lookup and call the public API handler if matched.
Therefore, any protection available in regular routes (like cors) can
be used with the API routes.

What about your opinions?

Reply via email to