Apigees’ API Proxy samples are a great way to get started, but many usage scenario aren’t available as a sample. A somewhat common scenario is wanting to check for an API Key in multiple places. In this exapmle, the proxy will need to be able to check for a API Key that is present as a query string parameter or an HTTP header. This allows the Gateway to adhere to Postel’s Law by allowing the client to determine what’s the best way to transmit the information to the service.
That’s all a fancy way of saying: Let’s make it easy check if the API Key is passed in as a Header or a Query String.
Unfortunately, with Apigee, it’s not so easy to check both of them. In this example, we’ll use a Javascript Policy to check if the API Key exists in the query string. If it does, the value will be copied into a header variable. After that, a normal Verify API Key Policy will be used to check the header value.
Hopefully, in a future post, I can reimplement this using only Apigee Policies and without using Javascript. There is a performance penalty that comes with using Javascript in Apigee and I would like to see just how severe that penalty can be.
Here is a Shared Flow that will do just the two steps mentioned above:
And, now for the Javascript. Which is a combination of a Policy and a .js file. This one does all the heavy lifting:
Finally, use the standard Verify API Key policy to check the header value:
2 comments:
Couldn't you (in front of VerifyAPIKey) use an AssignMessage policy with the condition that the x-api-key request header is empty, then let it Copy from QueryParam x-api-key and AssignTo request header x-api-key?
(Still an extra policy, but no javascript...)
/Thomas
Yeah, that sounds like it would work. If you have a chance, create a gist and link it to the page.
Post a Comment