Service: Internal, private, CORS, auth

Enonic version: 6.4.2
OS: Mac and Linux

So I have made my self a service:

And I found the url for it using!/module-lib_xp_portal.html#.serviceUrl

So it’s seems the service is available on any page just by adding
to the url.

Now I don’t want to make the service publicly available to the internet.

The doc seems to suggest that it might not be the case by default:

For sites, you may only access the services of the apps that have been added to that site.

But if I visit the below url in my browser it works, even though I’m not logged in to admin:

Which seems to indicate to me the service will be available from the internet too, if I deploy to prod…

How should I go about protecting my service urls?

I guess I should also mention the service is put in:

  • src/main/resources/services

rather than

  • src/main/resources/site/services

Is there a difference?

What happens if you put a different service with the same name in the other folder:

  • src/main/resources/services/myservice/myservice.js // does something
  • src/main/resources/site/servicesmyservice/myservice.js // does something else

Why do you need to create a “secret” service?

You can always check the req object to see where request comes from and handle it from there.

1 Like

Why is better answered in private :slight_smile:

Checking req is a good and simple solution.