question

franciscoraposo avatar image
franciscoraposo asked

Whitelist for Client API access

Hi!

I am trying to change the API permissions for my app using

[POST] https://TITLE.playfabapi.com/Admin/UpdatePolicy

I wanted to do a whitelist approach, where I would deny access to all Client API endpoints, then allow some of them, only the ones I'm using in my application. Below is an example of the request's body.

My issues is that by denying access to all Client API endpoints, the request will fail, even if I'm allowing a specific endpoint from that API.

How can the API policy be used as a whitelist? (note: I've tried rearranging the order of the objects in the array, but nothing changed)

{
    PolicyName: "ApiPolicy",
    OverwritePolicy: true,
    Statements: [
        {
            "Resource": "pfrn:api--*",
            "Action": "*",
            "Effect": "Allow",
            "Principal": "*",
            "Comment": "The default allow all statement."
        },
        {
            "Resource": "pfrn:api--/Client/ExecuteCloudScript",
            "Action": "*",
            "Effect": "Allow",
            "Principal": "*",
            "Comment": "Allow Client-side ExecuteCloudScript calls."
        },
        {
            "Resource": "pfrn:api--/Client/GetFriendLeaderboard",
            "Action": "*",
            "Effect": "Allow",
            "Principal": "*",
            "Comment": "Allow Client-side GetFriendLeaderboard calls."
        },
        {
            "Resource": "pfrn:api--/Client/GetFriendsList",
            "Action": "*",
            "Effect": "Allow",
            "Principal": "*",
            "Comment": "Allow Client-side GetFriendsList calls."
        },
        {
            "Resource": "pfrn:api--/Client/*",
            "Action": "*",
            "Effect": "Deny",
            "Principal": "*",
            "Comment": "Deny all Client API endpoints."
        }
    ]
}
apis
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Seth Du avatar image
Seth Du answered

You may notice that by default, the API policy will only have one entry:

{
    "Resource": "pfrn:api--*",
    "Action": "*",
    "Effect": "Allow",
    "Principal": "*",
    "Comment": "The default allow all statement."
},

If you delete it then add your preferred API, you may implment the "whitelist" feature.

2 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

franciscoraposo avatar image franciscoraposo commented ·

Thanks for the answer! I thought that I could just deny access to the Client API afterwards but doing this did work!

There's another issue though: How do I know all the other APIs to allow access to, such as Server, Admin, etc? I need to allow all of them now. The ones I currently have are

  • Admin
  • Authentication
  • Server
  • Object

Are there any more needed? I'm also using /Group/ & /CloudScript/ but they are not allowed in the request body

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ franciscoraposo commented ·
  • Entity API is not supported and API policy has not effects on Entity API.
  • Even though you can define Server/ Admin policy and deny the permission, API policy only affects Client API. It can be by design because the developers and secure server should always be able to access all APIs.
  • API policy and Entity Policy are separate, and Entity Policy is aimed at accessing specific Entity data. The way to use them can be similar but the purposes are different.

If you have any good suggestions, please feel free to send a thread on the Feature Request forum.

1 Like 1 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.