API key plugin - Orgs?
How is the best way to handle orgs via the API key plugin:
E.g, if the user has acess to a ressource of a org or not. etc.
10 Replies
you can use permissions
Yes - But more if the user is assigned to multiple orgs
My issue is the way i've done it now, users can "escape" and just query data for all orgs.
Pretty sure I am the issue just looking for a general solution
you should still be able to assign a permissions that points to a specific orgId. But you can also just add the orgId on a metadata.
metadata for the api key?
yeah
So just include the orgid in the metadata - Then the API key is "only" for that org id. That would work .
I assume I'd need to implement logic checking the api key for this
yeah. you'd need to check the orgId.
My current implementation does this
When the user hits the use org, it adds the "activeorg" to the session, and all backend logic just checks what the users activeorg is, as they should't be able to change this other then to what orgs they have access to.
if scoping to one org is a hard requirement, you can just assume api key belongs to a user and they can query any org they are a part of.
But that would still require me to do custom logic on each route - So the user should query with the ord id.
I think having seperate API keys for seperate orgs is the correct way to do it in my workflow