Skip to content

Explicit public API routes#273

Merged
ericmj merged 4 commits into
hexpm:mainfrom
SteffenDE:sd-docker-explicit-api
Jul 1, 2026
Merged

Explicit public API routes#273
ericmj merged 4 commits into
hexpm:mainfrom
SteffenDE:sd-docker-explicit-api

Conversation

@SteffenDE

Copy link
Copy Markdown
Contributor

Alternative to #272.

@ericmj feel free to take over here. I added a new public API controller. Then I moved the API authentication into the router, because I shared the /api namespace with both private and public routes. This means that I had to comment one test that asserted that auth is checked before request parsing. The alternative would be to either use a different route, e.g. /api/public/... / /public-api/... etc., or explicitly whitelist in the secret plug to keep the same behavior.

Accepts the same parameters as the LiveViews, but returns
a JSON response.
ericmj added 2 commits July 1, 2026 16:59
Moving the agent secret check into a router pipeline meant Plug.Parsers
ran before it, so unauthenticated requests had their body parsed before
being rejected. Restore BobWeb.Plugs.Secret in the endpoint and instead
exempt the two public, read-only search routes from it, keeping the
pre-parse rejection for all authenticated /api routes and restoring the
test that asserts it.
The module kept its name from the content-negotiation PR; it now covers
both public endpoints and lives in public_api_test.exs.
@ericmj ericmj force-pushed the sd-docker-explicit-api branch from 5fa3ac1 to 741598c Compare July 1, 2026 22:59
@ericmj ericmj merged commit 39c1083 into hexpm:main Jul 1, 2026
2 checks passed
@ericmj

ericmj commented Jul 1, 2026

Copy link
Copy Markdown
Member

Thank you! 💜

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants