This project is the official security plugin for SharwAPI.
It provides a lightweight route protection mechanism. Through configuration, you can specify that certain URL paths require a specific token to be accessed. The plugin intercepts requests and verifies the token in the HTTP request headers.
- Path-based Interception: Supports configuring multiple protected route paths with prefix matching (e.g., configuring
/adminwill protect/admin/usersand all its sub-paths). - Token Validation: Enforces validation of the
X-Api-Tokenrequest header for matched requests. - Simple Configuration: Dynamically manage protected resources via
appsettings.json.
- Download the compiled
.dllfile from Releases. - Place it into the
Pluginsdirectory of the Core API. - Configure the
appsettings.jsonfile of the Core API (see below). - Restart the API.
This plugin reads the AuthSettings node from the configuration file. Please add the following configuration to SharwAPI's appsettings.json:
{
"Logging": { ... },
"AllowedHosts": "*",
// Route Guard Plugin Configuration
"AuthSettings": {
"ProtectedRoutes": [
{
"Path": "/admin", // Protected path prefix
"Token": "secret-123" // Token required to access this path
},
{
"Path": "/private/data",
"Token": "another-secret"
}
]
}
}
- ProtectedRoutes: A list of protected routes.
- Path: The path prefix. The plugin uses
StartsWithSegmentsfor matching, meaning/adminwill match/admin,/admin/user,/admin/settings, etc. - Token: The expected security token.
When a client initiates a request, if the request path matches a configured Path, the plugin performs the following checks:
- Check Header: Looks for the HTTP request header named
X-Api-Token. - Verify Content: Compares the header value with the configured
Tokenfor an exact match.
Response Status Codes:
- 401 Unauthorized: The
X-Api-Tokenheader is missing. - 403 Forbidden: The token does not match (invalid token).
GET /admin/users HTTP/1.1
Host: localhost:5000
X-Api-Token: secret-123
This project is licensed under the GNU Lesser General Public License v3.0.