APISIX allows developers to expose public APIs in the plugins. By default, every client can access the API.
Currently, we can protect these public APIs by the plugin interceptors. https://apisix.apache.org/docs/apisix/plugin-interceptors There is a problem with the plugin interceptors: you need to implement them by yourself. So here comes a new idea: We can introduce a new plugin called 'public-api' to forward the public API, for example: ``` $ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -i -X PUT -d ' { "plugins": { "ip-restriction": { "whitelist": ["10.0.0.0/24"] }, "public-api": { } }, "uri": "/apisix/my_plugin/api" }' ``` First of all, we need to make the regular routes match happen before the API routes. Then, when handling the 'public-api' plugin, we will do API routes lookup and call the public API handler if matched. Therefore, any protection available in regular routes (like cors) can be used with the API routes. What about your opinions?