Can't limit exposure to certain API endpoints

skawaguchi_flipp · April 14, 2025, 2:32pm

We’re struggling to limit exposure to a single endpoint for a given service. We do not want all endpoints exposed. However, no matter what we try, ALL endpoints are exposed. Here’s a sample API definition:

{
    "api_definition": {
        "api_id": "my_api",
        "auth": {
            "auth_header_name": "Authorization"
        },
        "info": {
            "name": "my_api",
            "slug": "my_api"
        },
        "CORS": {
            "allowed_headers": [
                "Origin",
                "Accept",
                "Content-Type",
                "X-Requested-With",
                "Authorization"
            ],
            "allowed_methods": [
                "GET",
                "POST",
                "OPTIONS",
                "HEAD"
            ],
            "allowed_origins": [
                "*"
            ],
            "debug": true,
            "enable": true,
            "options_passthrough": false
        },
        "disable_quota": true,
        "do_not_track": false,
        "id": "my_api",
        "name": "my_api",
        "org_id": "default",
        "proxy": {
            "listen_path": "/my_api/",
            "strip_listen_path": true,
            "target_url": "http://my-api.my-api.svc.cluster.local:8888"
        },
        "slug": "my_api",
        "use_keyless": false,
        "version_data": {
            "not_versioned": true,
            "default_version": "",
            "versions": {
                "": {}
            }
        },
        "extended_paths": {
            "white_list": [
                {
                    "path": "^v2/cats",
                    "method_actions": {
                        "POST": {
                            "action": "pass",
                            "code": 200,
                            "data": "",
                            "headers": {}
                        }
                    }
                }
            ]
        }
    }
}

We’re also tried with OAS definitions, and no luck there either.

We’re using Tyk OSS 5.3.0. Other than this, the gateway is working fine.

Any advice would be much appreciated. Thank you!

skawaguchi_flipp · April 15, 2025, 6:30pm

Hello, I’ve upgraded us to tyk-gateway 5.8.0 and we’re having the same problem.

Here’s the new API definition calling /tyk/apis/oas:

{
    "openapi": "3.0.3",
    "info": {
        "title": "my_api",
        "version": "1.0.0"
    },
    "servers": [
        {
            "url": "http://my-api.my-api.svc.cluster.local:8888"
        }
    ],
    "paths": {
        "/v2/places": {
            "post": {
                "summary": "Create a new place",
                "responses": {
                    "200": {
                        "description": "Place created successfully"
                    }
                }
            }
        }
    },
    "x-tyk-api-gateway": {
        "info": {
            "name": "my_api",
            "id": "my_api",
            "state": {
                "active": true
            }
        },
        "server": {
            "listenPath": {
                "value": "/my_api/",
                "strip": true
            },
            "strictRouting": true
        },
        "upstream": {
            "url": "http://distribution-api.distribution-api.svc.cluster.local:8001"
        },
        "security": {
            "authentication": {
                "type": "token",
                "token": {
                    "header": "Authorization"
                }
            }
        },
        "useExtendedPaths": true,
        "extendedPaths": {
            "whiteList": [
                {
                    "path": "^v2/places$",
                    "methodActions": {
                        "POST": {
                            "action": "pass"
                        }
                    }
                }
            ]
        }
    }
}

skawaguchi_flipp · April 16, 2025, 2:58pm

Ok, I got it working with this configuration:

{
    "openapi": "3.0.3",
    "info": {
        "title": "my_api",
        "version": "1.0.0"
    },
    "servers": [
        {
            "url": "http://my-api.my-api.svc.cluster.local:8888"
        }
    ],
    "paths": {
        "/v2/places": {
            "post": {
                "operationId": "places_post",
                "responses": {
                    "200": {
                        "description": ""
                    }
                }
            }
        }
    },
    "x-tyk-api-gateway": {
        "info": {
            "name": "my-api",
            "id": "my_api",
            "state": {
                "active": true
            }
        },
        "server": {
            "listenPath": {
                "value": "/my-api/",
                "strip": true
            },
            "strictRouting": true
        },
        "upstream": {
            "url": "http://my-api.my-api.svc.cluster.local:8001"
        }
        "middleware": {
            "operations": {
                "places_post": {
                    "allow": {
                        "enabled": true,
                        "ignoreCase": true
                    }
                }
            }
        }
    }
}

Now the next problem is how to set the API key. Now the route I don’t want exposed is correctly returning a 403. However, the public route /my-api/v2/places is giving me this error:

{
    "error": "Access to this API has been disallowed"
}

Now I’m chasing down how the API key should be working.