LGTM, looking forward to it. Leslie Tsang leslie.ts...@icloud.com
> On 29 Dec 2021, at 10:17 AM, tzssangglass <tzssanggl...@apache.org> wrote: > > Sounds good. > > > *ZhengSong Tu* > My GitHub: https://github.com/tzssangglass > Apache APISIX: https://github.com/apache/apisix > > Zexuan Luo <spacewan...@apache.org> 于2021年12月27日周一 10:38写道: >> >> APISIX allows developers to expose public APIs in the plugins. By >> default, every client can access the API. >> >> Currently, we can protect these public APIs by the plugin interceptors. >> https://apisix.apache.org/docs/apisix/plugin-interceptors >> >> There is a problem with the plugin interceptors: you need to implement >> them by yourself. >> >> So here comes a new idea: >> We can introduce a new plugin called 'public-api' to forward the >> public API, for example: >> >> ``` >> $ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: >> edd1c9f034335f136f87ad84b625c8f1' -i -X PUT -d ' >> { >> "plugins": { >> "ip-restriction": { >> "whitelist": ["10.0.0.0/24"] >> }, >> "public-api": { >> } >> }, >> "uri": "/apisix/my_plugin/api" >> }' >> ``` >> >> First of all, we need to make the regular routes match happen before >> the API routes. >> Then, when handling the 'public-api' plugin, we will do API routes >> lookup and call the public API handler if matched. >> Therefore, any protection available in regular routes (like cors) can >> be used with the API routes. >> >> What about your opinions?