I’m using Tyk CE 2.3.5. The APIs are configured to use JWT authentication with Tyk policy ID embedded as a claim. A grpc plugin is configured as a “post_key_auth” hook as shown below. MyPosthook does some request transformation before sending the modified request to upstream service.
The policy is configured with white lists (allowed_urls) for upstream APIs with the list of allowed HTTP verbs. Some APIs are configured to forward request to upstream service without grpc plugin while others are configured to invoke grpc plugin after authentication is successful.
For Tyk API without a grpc plugin, the allowed_url is enforced correctly. For example, if the white-list only supports GET verb for endpoint A, and the same endpoint is hit with POST verb, Tyk returns HTTP 403 with error “resource has been disallowed” or something along that line and the request is NOT sent to upstream URL.
However, for Tyk API with a grpc plugin configured, the allowed_url is not enforced correctly. For a similar case as above, Tyk returns the same HTTP 403 and error as stated in the case without grpc. However, the grpc plugin is STILL invoked. I’m expecting Tyk to just return the HTTP 403 without invoking the grpc plugin.
Does this look like a bug or am I missing something in my manifest.json or API config to enforce the policy correctly with the grpc?