diff --git a/packages/medusa-js/README.md b/packages/medusa-js/README.md index 4c7b89fdfb..2ec478b67f 100644 --- a/packages/medusa-js/README.md +++ b/packages/medusa-js/README.md @@ -23,13 +23,27 @@ yarn add @medusajs/medusa-js Import Medusa as a default import and initiate it: ```js -import Medusa from '@medusajs/medusa-js'; +import Medusa from "@medusajs/medusa-js" -const medusa = new Medusa(); +const medusa = new Medusa() -const { cart } = await medusa.carts.create({}); +const { cart } = await medusa.carts.create({}) ``` +### Authentication + +Authentication can be achieved in two ways using the `medusa-js` client, either by utilizing API keys or by using cookie based authentication, each with their own unique use case. + +#### **Using API keys** + +API keys can only be used for admin functionality in Medusa because only users of the admin system have api keys. To use API keys for authentication the key should be used when `medusa-js` is initialized with a config object as described below. + +#### **Using cookies** + +Authentication using cookies is done automatically by Axios when authenticating using the `auth` endpoints. After authentication all subsequent calls will be authenticated. + +_note: Cookie based authentication cannot be used in plain `node.js` applications due to the limitations of axios and `useCredentials` not setting the `Cookie` request header when `set-cookie` is present in the response headers. For pure `node.js` applications use authentication with api keys(see above)_ + ## Configuration ### Initialize with config object @@ -39,11 +53,12 @@ The package can be initialized with several options: ```js const medusa = new Medusa({ maxRetries: 3, - baseUrl: 'https://api.example.com', -}); + baseUrl: "https://api.example.com", +}) ``` -| Option | Default | Description | -| ------------ | ----------------------------------- | ----------------------------------------- | -| `maxRetries` | `0` | The amount of times a request is retried. | -| `baseUrl` | `'http://localhost:9000'` | The url to which requests are made to | +| Option | Default | Description | +| ------------ | ------------------------- | --------------------------------------------------------- | +| `maxRetries` | `0` | The amount of times a request is retried. | +| `baseUrl` | `'http://localhost:9000'` | The url to which requests are made to. | +| `apiKey` | `''` | Optional api key used for authenticating admin requests . | diff --git a/packages/medusa-js/src/request.ts b/packages/medusa-js/src/request.ts index 59f77a4929..e5ad8e6948 100644 --- a/packages/medusa-js/src/request.ts +++ b/packages/medusa-js/src/request.ts @@ -2,12 +2,18 @@ import axios, { AxiosError, AxiosInstance } from "axios" import * as rax from "retry-axios" import { v4 as uuidv4 } from "uuid" +const unAuthenticatedAdminEndpoints = { + "/admin/auth": "POST", + "/admin/users/password-token": "POST", + "/admin/users/reset-password": "POST", + "/admin/invites/accept": "POST", +} export interface Config { baseUrl: string maxRetries: number + apiKey?: string } export interface RequestOptions { - apiKey?: string timeout?: number numberOfRetries?: number } @@ -83,6 +89,13 @@ class Client { .join("-") } + requiresAuthentication(path, method): boolean { + return ( + path.startsWith("/admin") && + unAuthenticatedAdminEndpoints[path] !== method + ) + } + /** * Creates all the initial headers. * We add the idempotency key, if the request is configured to retry. @@ -101,10 +114,10 @@ class Client { "Content-Type": "application/json", } - // TODO: if route is an authenticated route, add api key - if (path.startsWith("/admin")) { + if (this.config.apiKey && this.requiresAuthentication(path, method)) { defaultHeaders = { ...defaultHeaders, + Authorization: `Bearer ${this.config.apiKey}`, } }