How to exclude access to an API from unauthorized users?

We have recently begun using the community/OSS tyk gateway product (version 4.0.6), and I’m struggling to lock down an endpoint. I have set up an API without authentication and can access it successfully through the gateway. I am now trying to restrict access using Basic Auth, but find that the endpoint does not block unauthorized requests.

My API definition (which includes “use_basic_auth” set to true) as returned by the GET tyk/apis endpoint:

[
  {
    "name": "demoapi",
    "slug": "demoapi",
    "listen_port": 0,
    "protocol": "",
    "enable_proxy_protocol": false,
    "api_id": "2",
    "org_id": "1",
    "use_keyless": true,
    "use_oauth2": false,
    "use_openid": false,
    "openid_options": {
      "providers": null,
      "segregate_by_client": false
    },
    "oauth_meta": {
      "allowed_access_types": null,
      "allowed_authorize_types": null,
      "auth_login_redirect": ""
    },
    "auth": {
      "use_param": false,
      "param_name": "",
      "use_cookie": false,
      "cookie_name": "",
      "auth_header_name": "Authorization",
      "use_certificate": false,
      "validate_signature": false,
      "signature": {
        "algorithm": "",
        "header": "",
        "use_param": false,
        "param_name": "",
        "secret": "",
        "allowed_clock_skew": 0,
        "error_code": 0,
        "error_message": ""
      }
    },
    "auth_configs": null,
    "use_basic_auth": true,
    "basic_auth": {
      "disable_caching": false,
      "cache_ttl": 0,
      "extract_from_body": false,
      "body_user_regexp": "",
      "body_password_regexp": ""
    },
    "use_mutual_tls_auth": false,
    "client_certificates": null,
    "upstream_certificates": null,
    "pinned_public_keys": null,
    "enable_jwt": false,
    "use_standard_auth": false,
    "use_go_plugin_auth": false,
    "enable_coprocess_auth": false,
    "jwt_signing_method": "",
    "jwt_source": "",
    "jwt_identity_base_field": "",
    "jwt_client_base_field": "",
    "jwt_policy_field_name": "",
    "jwt_default_policies": null,
    "jwt_issued_at_validation_skew": 0,
    "jwt_expires_at_validation_skew": 0,
    "jwt_not_before_validation_skew": 0,
    "jwt_skip_kid": false,
    "jwt_scope_to_policy_mapping": null,
    "jwt_scope_claim_name": "",
    "notifications": {
      "shared_secret": "",
      "oauth_on_keychange_url": ""
    },
    "enable_signature_checking": false,
    "hmac_allowed_clock_skew": 0,
    "hmac_allowed_algorithms": null,
    "request_signing": {
      "is_enabled": false,
      "secret": "",
      "key_id": "",
      "algorithm": "",
      "header_list": null,
      "certificate_id": "",
      "signature_header": ""
    },
    "base_identity_provided_by": "",
    "definition": {
      "location": "header",
      "key": "x-api-version",
      "strip_path": false
    },
    "version_data": {
      "not_versioned": true,
      "default_version": "",
      "versions": {
        "Default": {
          "name": "v1",
          "expires": "",
          "paths": {
            "ignored": null,
            "white_list": null,
            "black_list": null
          },
          "use_extended_paths": true,
          "extended_paths": {},
          "global_headers": null,
          "global_headers_remove": null,
          "global_response_headers": null,
          "global_response_headers_remove": null,
          "ignore_endpoint_case": false,
          "global_size_limit": 0,
          "override_target": ""
        }
      }
    },
    "uptime_tests": {
      "check_list": null,
      "config": {
        "expire_utime_after": 0,
        "service_discovery": {
          "use_discovery_service": false,
          "query_endpoint": "",
          "use_nested_query": false,
          "parent_data_path": "",
          "data_path": "",
          "port_data_path": "",
          "target_path": "",
          "use_target_list": false,
          "cache_timeout": 0,
          "endpoint_returns_list": false
        },
        "recheck_wait": 0
      }
    },
    "proxy": {
      "preserve_host_header": false,
      "listen_path": "/demoapi/",
      "target_url": "http://demoapi.quantumleap.svc.cluster.local/",
      "disable_strip_slash": false,
      "strip_listen_path": true,
      "enable_load_balancing": false,
      "target_list": null,
      "check_host_against_uptime_tests": false,
      "service_discovery": {
        "use_discovery_service": false,
        "query_endpoint": "",
        "use_nested_query": false,
        "parent_data_path": "",
        "data_path": "",
        "port_data_path": "",
        "target_path": "",
        "use_target_list": false,
        "cache_timeout": 0,
        "endpoint_returns_list": false
      },
      "transport": {
        "ssl_insecure_skip_verify": false,
        "ssl_ciphers": null,
        "ssl_min_version": 0,
        "ssl_max_version": 0,
        "ssl_force_common_name_check": false,
        "proxy_url": ""
      }
    },
    "disable_rate_limit": false,
    "disable_quota": false,
    "custom_middleware": {
      "pre": null,
      "post": null,
      "post_key_auth": null,
      "auth_check": {
        "name": "",
        "path": "",
        "require_session": false,
        "raw_body_only": false
      },
      "response": null,
      "driver": "",
      "id_extractor": {
        "extract_from": "",
        "extract_with": "",
        "extractor_config": null
      }
    },
    "custom_middleware_bundle": "",
    "cache_options": {
      "cache_timeout": 0,
      "enable_cache": false,
      "cache_all_safe_requests": false,
      "cache_response_codes": null,
      "enable_upstream_cache_control": false,
      "cache_control_ttl_header": "",
      "cache_by_headers": null
    },
    "session_lifetime": 0,
    "active": true,
    "internal": false,
    "auth_provider": {
      "name": "",
      "storage_engine": "",
      "meta": null
    },
    "session_provider": {
      "name": "",
      "storage_engine": "",
      "meta": null
    },
    "event_handlers": {
      "events": null
    },
    "enable_batch_request_support": false,
    "enable_ip_whitelisting": false,
    "allowed_ips": null,
    "enable_ip_blacklisting": false,
    "blacklisted_ips": null,
    "dont_set_quota_on_create": false,
    "expire_analytics_after": 0,
    "response_processors": null,
    "CORS": {
      "enable": false,
      "allowed_origins": null,
      "allowed_methods": null,
      "allowed_headers": null,
      "exposed_headers": null,
      "allow_credentials": false,
      "max_age": 0,
      "options_passthrough": false,
      "debug": false
    },
    "domain": "",
    "certificates": null,
    "do_not_track": false,
    "tags": null,
    "enable_context_vars": false,
    "config_data": null,
    "tag_headers": null,
    "global_rate_limit": {
      "rate": 0,
      "per": 0
    },
    "strip_auth_data": false,
    "enable_detailed_recording": false,
    "graphql": {
      "enabled": false,
      "execution_mode": "",
      "version": "",
      "schema": "",
      "type_field_configurations": null,
      "playground": {
        "enabled": false,
        "path": ""
      },
      "engine": {
        "field_configs": null,
        "data_sources": null
      },
      "proxy": {
        "auth_headers": null
      },
      "subgraph": {
        "sdl": ""
      },
      "supergraph": {
        "subgraphs": null,
        "merged_sdl": "",
        "global_headers": null,
        "disable_query_batching": false
      }
    }
  }
]

I have created a Basic Auth user key, as can be seen here (as accessed at the GET tyk/keys) endpoint:

{
  "keys": [
    "eyJvcmciOiIxIiwiaWQiOiJ3b29kc2oiLCJoIjoibXVybXVyMTI4In0=",
  ]
}

The definition used to create the key above (POSTed to /tyk/keys/woodsj) looks like this:

{
    "allowance": 1000,
    "rate": 1000,
    "per": 1,
    "expires": -1,
    "quota_max": -1,
    "org_id": "1",
    "quota_renews": 1449051461,
    "quota_remaining": -1,
    "quota_renewal_rate": 60,
    "access_rights": {
        "2": {
            "api_id": "2",
            "api_name": "demoapi",
            "versions": ["Default"]
        }
    },
    "meta_data": {},
    "basic_auth_data": {
        "password": "xyzzy"
    }
}

I have tried with and without (empty file) a policy in policies/policies.json. My current policies.json looks like this (note running in k8s from OCI image, so policies are in /mnt/tyk-gateway/policies):

$ cat /mnt/tyk-gateway/policies/policies.json
{
  "default": {
  "rate": 1000,
  "per": 1,
  "quota_max": 100,
  "quota_renewal_rate": 60,
  "access_rights": {  },
  "org_id": "1",
  "hmac_enabled": false
  }
}

I am guessing that something is wrong with my policies.json file. I would expect that this proide the default access to any APIs tyk manages, with the policy attached to the key overriding the defaults.

Hi @jwoods ,
Thank you for posting your inquiry here. I checked your API Definition and it seems that you have 2 authentication mode which is keyless and Basic Auth. This is the reason that you have authorization issues. If you set "use_keyless": false, this will disable keyless access and it will only authorized the Basic Authentication you set.

Yes, that was the problem! Thank you :slight_smile: