403 on noAuth route

dimyy

Active Community Member

Join Date: Jun 2018

Posts: 574
Share

Tweet
#1

403 on noAuth route

02-26-2025, 11:29 AM

I'm registering a noAuth route. When this route is accessed, the x-api-key is present in the header, but this key doesn’t match any user. As a result, an incorrect login attempt is logged, yet the route still processes. However, if the number of requests gets too high, they end up being blocked due to frequent failed login attempts.

This doesn’t seem entirely logical: either it should reject such requests outright, or it should check for noAuth first and not treat them as login attempts.
Tags: None
Firyo

Senior Member

Join Date: Jun 2022

Posts: 136
Share

Tweet
#2

02-26-2025, 03:45 PM

Hi there,

Still in v8 here, we experienced the same issue with this header value being interpreted by Espo (even if the custom route has "noAuth" set to "true", eventually blocking the request.
The only solution we had in the end was to override Espo's PHP routes processes.

We added a new "ignoreAuth" param in the custom routes definition and edited the routing and routes PHP code to take in account this attribute and ignore the auth check.

Regards,
Firyo.
Comment

Comment