I am using Strapi to manage our fablab. We propose workshops people can register to. I would want to reduce the complexity of the registration to a minimum for the user. That means that I’d like the user not to have to be logged in to register to a workshop and using only the user email.
So the frontend (eleventy + svelte) have to be able to find any user, and be able to send an email. As there is no account, these queries are made with the Public roles. So the Public role allows the endpoint to list all the registereds (and the corresponding emails) and is able to send email at the email endpoint (via sendgrid). This is a big issue.
I don’t see any solution to secure a bit these endpoints. So I am looking for advice: is there a way to be more secure without asking a login?
Still thinking out loud here. Could a solution be to issue a jwt with a few minutes life time? Is it possible to override the default jwt expiration time?
You can modify the JWT lifetime to be quite a bit shorter yes: https://strapi.io/documentation/v3.x/plugins/users-permissions.html#jwt-configuration
As to your global question, I do not see a good way to secure the “public” role in the way you are expecting.
Thank you very much for your answer.
Regarding the jwt configuration, I would need two lifetimes, one for the admin site so that the admins won’t have to login too regurlarly (currently setup to 1 hour). And a second one much shorter (5-15 minutes) for the regular users to register to the fablab activities to give them temporary permissions.
Anyway, you’re right, I won’t be able to secure the api access this way, as anyone could ask for these tokens anyway…
I will have to resolve to setup a signin flow…
Yeah the JWT settings I linked are only for the users-permissions plugin and not the Admin panel