Previously because an API key was only validated if allowAnonymous was true, an invalid API key could be provided and the request would have been accepted, and also if a valid API key was provided it was not used to authenticate the user.
The previous commit b537de0854 (L3R67) resulted in the API not being available to authenticated users. The statement if (allowAnonymous) around the route prevented the route being available. It is unnecessary to enforce this at a routing level as the middleware b537de0854/lib/middleware.js (L209) prevents API write requests without correct authentication.
- Added allowReadOnly in config - defaults to true
- read only has CORS support
- Add handler for :rev route, and autoload the latest (needs more cleaning up)
- Allow xhr requests to both /api/x and /abcd/123 (how it originally worked)
This will return an error response that isn't currently picked up by
the JS Bin front end, but it does stop MySQL throwing exceptions. It
can be turned off by setting the "bin max-size" to 0 or null.
We now detect subdomains by taking anything before the "url host"
option rather than assuming the host will always be x.y.
So if the host is "localhost:3000" then "subdomain" will be
extracted for requests to "subdomain.localhost:3000".
This essentially mounts the application as middleware within another
connect server under the specified prefix. This means that when
redirecting that helpers.url() must be used to get the full path and
req.path will be missing the prefix.
This seems a little hairy but essentially avoids creating modules
with factory functions which seems very clunky. We now provide various
helper functions that are bound to the application state such as
url, routing and models via the request object. This is massively
overloading this object but seems to be the common way in Express
apps to pass state into handlers.
