Expected Behavior: If the user is logged in only then he has access to /test api Current Behavior: The /test API is open and has no authentication in place.
If you look at the adminApp.get call you've shared, you'll see the needsPermission("flows.read") middleware - that is what enables authentication on the endpoint. You'll need to pick the right permission to require - the string passed to the function.
The permission takes the form of XYZ.read or XYZ.write - depending on whether it requires read-only or full read/write access.
So when I do adminApp.get("/test",needsPermission("test.read"),test.get,apiUtil.errorHandler);
It's unauthorized.
I guess my question is where do I define scope of this new permission?
I can't figure out how needsPermission("flows.read") is enabling authentication.
The needsPermission function returns a middleware that handles the request before it reaches your test.get function. That middleware checks if the user making the request has the required permission.
You don't have to predefined the permission anywhere. As long as the permission string takes the form XYZ.read or XYZ.write then it will work as expected.
As per the docs users either have the permission read or *. If it is read then they are allowed to access anything with a XYZ.read permission. If it's * then they can access everything.
The reason for the XYZ part of the permission is to identify the type of resource being accessed - which allows for some finer-grained permissions. For example, a user couple have a permission of ["read", "inject.write"] - this would allow them read-only access to the editor, but would be able to trigger any inject nodes.
