Is it possible to have different authentication for API than for user login?
I have an app where the user should be able to access it only through Google SSO. That app generates content that I’d like to retrieve via the API. However, I find that if I disable the username/password login, the API stops accepting the authentication. If I enable it, then the API works again but the users have the option to log in with name and password.
This isn’t really a security concern as they don’t actually have passwords associated with their account. It’s more along the lines of avoiding a wave of confusing tickets when their gmail passwords do not work on the Anvil login.
If you use the authenticate_users=True parameter to @anvil.server.http_endpoint(), then your API endpoint will support HTTP Basic username/password authentication against the Users service. If you want to use a different authentication method, you can – remove the authenticate_users from your endpoint config, and parse the authentication out of the HTTP headers yourself.
Authenticating to an API with Google SSO is tricky - there isn’t an out-of-the-box way to do it (signing into Google is something that’s deliberately not supposed to be automated). The usual way to do this is for a human to authenticate in the browser, and then get an API authentication token which they can supply as an HTTP header (or HTTP Basic password) in their HTTP requests. (You can store this authentication token in a column in the Users table.)
(If you are using your API endpoints from your Anvil Forms, of course, life is much easier – if you call an HTTP endpoint from an Anvil form, it will execute in the same Anvil session as the rest of your app’s Forms and Server Modules, so you can just call anvil.users.get_user().)