05-19-2020, 03:38 AM
I did a little more digging and the difference between the REST API and Javascript Library is that the former uses the endpoint "/REST" with json and latter uses "/default/Api" with XML.
I confirmed this using Chrome Dev tools to get the request made by the Javascript Library get_ticket call, and was able to recreate that with the Javascript fetch function setting the header content-type to 'text/xml' and using an XML body.
My current understanding is that the endpoint /REST goes through more hoops to get to the REST handler, including security, then the default/Api endpoint.
In the case of the /REST endpoint, I need to figure out how to allow guest (perhaps through guest_url_allow) but not allow access to the entire API.
In the case of the default/Api endpoint, I believe it works because get_ticket is the only function without a decorator - the decorators in api_xmlrpc check security.
I think it would be nice if the REST API and the Javascript Library were consistent, at least in get_ticket right now. This might mean doing a special configuration for guest access to the REST api.
Although I'd like to do this soon, in the short term I may just craft a wrapper to get_ticket using the XML call, or use my custom guest endpoint.
I confirmed this using Chrome Dev tools to get the request made by the Javascript Library get_ticket call, and was able to recreate that with the Javascript fetch function setting the header content-type to 'text/xml' and using an XML body.
My current understanding is that the endpoint /REST goes through more hoops to get to the REST handler, including security, then the default/Api endpoint.
In the case of the /REST endpoint, I need to figure out how to allow guest (perhaps through guest_url_allow) but not allow access to the entire API.
In the case of the default/Api endpoint, I believe it works because get_ticket is the only function without a decorator - the decorators in api_xmlrpc check security.
I think it would be nice if the REST API and the Javascript Library were consistent, at least in get_ticket right now. This might mean doing a special configuration for guest access to the REST api.
Although I'd like to do this soon, in the short term I may just craft a wrapper to get_ticket using the XML call, or use my custom guest endpoint.