LGTM, looking forward to it.

Leslie Tsang
leslie.ts...@icloud.com

> On 29 Dec 2021, at 10:17 AM, tzssangglass <tzssanggl...@apache.org> wrote:
> 
> Sounds good.
> 
> 
> *ZhengSong Tu*
> My GitHub: https://github.com/tzssangglass
> Apache APISIX: https://github.com/apache/apisix
> 
> Zexuan Luo <spacewan...@apache.org> 于2021年12月27日周一 10:38写道:
>> 
>> APISIX allows developers to expose public APIs in the plugins. By
>> default, every client can access the API.
>> 
>> Currently, we can protect these public APIs by the plugin interceptors.
>> https://apisix.apache.org/docs/apisix/plugin-interceptors
>> 
>> There is a problem with the plugin interceptors: you need to implement
>> them by yourself.
>> 
>> So here comes a new idea:
>> We can introduce a new plugin called 'public-api' to forward the
>> public API, for example:
>> 
>> ```
>> $ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY:
>> edd1c9f034335f136f87ad84b625c8f1' -i -X PUT -d '
>> {
>>    "plugins": {
>>        "ip-restriction": {
>>                "whitelist": ["10.0.0.0/24"]
>>        },
>>       "public-api": {
>>       }
>>    },
>>    "uri": "/apisix/my_plugin/api"
>> }'
>> ```
>> 
>> First of all, we need to make the regular routes match happen before
>> the API routes.
>> Then, when handling the 'public-api' plugin, we will do API routes
>> lookup and call the public API handler if matched.
>> Therefore, any protection available in regular routes (like cors) can
>> be used with the API routes.
>> 
>> What about your opinions?

Reply via email to