API access to asset listing

(Sang) #1

Matrix Version: v5.5.1.3

I created an asset listing which returns list of assets from roots folder. I do not want this readable from public, only limited API access from frontend framework would be readable.

I am thinking to put a condition with “api key” parameter and if key is matched then display. but which means if anyone finds the key then they can also access to the page.

Does anyone have better idea for this?



I don’t know how you intend to use this Asset Listing but there are few options here.

Use the Matrix Content API
If you meet the minimum requirements and have access to the server location where Matrix is installed, then you can install and use the Content API. This is a complete API solution with authentication tokens that you can limit to specific users. There is also good documentation on how to configure and use the API.

Squiz Marketplace: https://marketplace.squiz.net/extensions/content-api

Update: I just noted the Matrix version you posted, in which case the Content API won’t be supported in your version of Matrix. The options below may still be viable though.

Put the Asset Listing behind a login
If you remove public read permissions from the Asset Listing and create a new User that does have Read Access, then you can effectively limit access to the Listing to that one user. However, they will need to complete the login form before they can access the listing contents. That is probably less than ideal, but it might meet still your requirements.

Enable HTTP Authentication
Further to the above option, if a login page will cause you issues then you can Enable HTTP Authentication so that the request to your Asset Listing page can include username/password parameters for authentication. This means that user is still validated, but they don’t need to be stopped by the login page first. Then you can use a tool like cURL to retrieve the page content directly.

Note that there are risks in handling authentication so read the notes on the Matrix Manuals page and maybe read up on the subject some more so that you are aware of the risks.

See Enable HTTP Authentication in the manuals: https://matrix.squiz.net/manuals/system-configuration/chapters/system-configuration#Login-Session-Settings