Hi,
Scenario: To validate the required incoming url (ie part of incoming url /string information of BasePath information to be "XXX" or "YYY" or "ZZZ"):
We are validating the BasePath of URL as indicated below.
https://myvhost/*/ggg/yyy (Correct path is https://myvhost/XXX/ggg/yyy) * given as example for URL
(validation is for part, which is displayed as * ) like this part need to be certain value like either that * part of BasePath could be “XXX” or “YYY” or “ZZZ”. value comes in incoming BasePath.
Eg:
(is the ApigeeSaaS URL to invoke backend from POSTMAN, Its : HTTP GET Request)
In such url for * (BasePath) validation the Java script logic is listed below.
var basePath = context.getVariable("proxy.url"); var valid = false; var fun = basePath.split("/"); var urlString= fun[3]; print("urlString ---"+ urlString); if ( urlString == "XXX" || urlString =="YYY" || urlString =="ZZZ") { valid = true; } context.setVariable("ValidateStatus",valid); context.setVariable("resourcepath", urlString);
In above scenario (Proxy Endpoint ‘default’ Preflow information) is listed below..
Eg: Flow of Proxy EndPoint proxy (High level Flow information) (In ProxyEndPoint “PreFlow”)
Overall logic of Preflow is
Starts with Secured Shared Flow -- > Api Key Validation --> Invoke OKTA for Token and required logics -- > ValidateEntitlementsInformation (Java Script) etc..
Note: ValidateEntitlementsInformation is the name of the Java script logic, which validates the * information of the URL either to be “XXX” or “YYY” or “ZZZ”. As below
<ProxyEndpoint name="default"> <PreFlow name="PreFlow"> <Request> <Step> <Name>Security-Shared Flow</Name> </Step> <Step> <Name>Verify-APIKey-OKTA</Name> </Step> <Step> <Name>Verify-OKTA-JWT</Name> </Step> <Step> <Name>JavaScript-ValidateEntitlementsInformation</Name> </Step> <Step> <Name>Raise-Fault</Name> <Condition>(ValidateStatus == false)</Condition> </Step> <Step> <Name>ExtractRoleInfo</Name> <Condition>(scopes==null or scopes=="")</Condition> <Name>Raise-Fault-1</Name> <PostFlow name="PostFlow"> </PostFlow> <Flows> <Flow name="GetUserProfile"> <Description>Gets User Profile Information</Description> <Condition>(proxy.pathsuffix MatchesPath "/") and (request.verb = "GET")</Condition> </Flows> <HTTPProxyConnection> <BasePath>/*/v1/api</BasePath> <Properties/> <VirtualHost>secure</VirtualHost> </HTTPProxyConnection> <RouteRule name="default"> <TargetEndpoint>default</TargetEndpoint> </RouteRule> </ProxyEndpoint>
In order to avoid the writing * to <BasePath> tag as indicated above, do we have any logic or any patterns to avoid * . in the <BasePath>, under <HTTPProxyConnection>?
We want to avoid * in <BasePath> which could be security issue, hence what will the valid <BasePath> URL information without using * . ie indicated scenario requires validation of * to be "XXX" or "YYY" or "ZZZ" which I am taking care in JavaScript which works fine.
Require your suggestions in case handled any such cases.
Let me know if you require any additional information.
Just simplifying if incoming URL from client is
If incoming HTTP GET from postman is expected to be either XXX or YYY or ZZZ in base path url like
https://<apigeSaaSurl>/XXX/v1/api
https://<apigeSaaSurl>/YYY/v1/api
https://<apigeSaaSurl>/ZZZ/v1/api
Then the
<ProxyEndpoint name="default">
<PreFlow name="PreFlow">
<BasePath> can be deigned in below format, but * in BasePath seems to be security issue. Please suggest.
<HTTPProxyConnection>
<BasePath>/*/v1/api</BasePath>
<Properties/>
<VirtualHost>secure</VirtualHost>
</HTTPProxyConnection>
I am validating for Basepath to be XXX or YYY or ZZZ in java script but I am not sure if the BasePath url design representation in current situation
Please suggest
I think it would be simpler for you to configure your proxy flows
One proxy flow with a condition for your valid paths
<Condition>(proxy.pathsuffix MatchesPath "/xxx") or (proxy.pathsuffix MatchesPath "/yyy")</Condition>
Another default proxy flow for your non-matching case, this can include a raisefault policy for example
You may need to vary your conditions here to match your needs
Apigee does NOT support using a wildcard "*" as the first element of a base path. For example, this is NOT supported: /*/search
. Starting the base path with a "*" can lead to unexpected errors because of the way Edge identifies valid paths.
I think you need to use a generic value as your basePath like /employees if it is an Employees Data API.
Then use multiple ConditionalFLows in the ProxyEndpoint. Also, add an invalid-path flow which would raise an error if it did not match any earlier pathsuffix.
https://docs.apigee.com/api-platform/fundamentals/flow-configurations