feat: api token, default token

[jiblett1000]

Types of changes

• Bug fix (a non-breaking change which fixes an issue)
• New feature (a non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Description

This is just a redo of my previous PR (#318) which I somehow managed to completely bork.

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes (if not applicable, please state why)

[nuxt-studio]

✅ Live Preview ready!

Name	Edit	Preview	Latest Commit
Strapi	Edit on Studio ↗︎	View Live Preview	a072948

[benjamincanac]

Are you sure defaulting to the config.strapi.apiToken is the right thing to do here? For example if I set an apiToken to use in a specific section of my app, I might not want to use it all the time when a user is logged out.

[jiblett1000]

@benjamincanac I wan't entirely sure which way to go with it. My thinking with it this way was trying to avoid cluttering the module config with too many options considering that a token can always be passed to the composable(s).

But, I was considering maybe adding an additional boolean config (privateApi) or something) to allow someone to set whether to use the apiToken in their config as the fall back if the jwt isn't set. This might be beneficial to someone who doesn't want their API public. I'm not against that, if that works for you. It could be this instead:

    headers.Authorization = `Bearer ${options.token}`
    } else if (config.strapi.defaultToken === 'user' && userToken.value) {
      headers.Authorization = `Bearer ${userToken.value}`
    } else if ((config.strapi.defaultToken === 'api' && config.strapi.apiToken) || (config.strapi.privateApi === true && config.strapi.apiToken) {

I'm not sure that privateApi is the best name for that, but just a spur of the moment idea.

[benjamincanac]

I'm wondering, why would you use an api token in your app instead of just using a public endpoint? As this http call will be client-side, all users will be able to see this token so it comes to the same thing.

[jiblett1000]

Hmm, yeah. Potentially, a bit of a misconception on my part. I'm sure you would know better than I. Most of my understanding is just from some articles rather than a wealth of experience. Such as:

https://cloud.google.com/endpoints/docs/openapi/when-why-api-key#:~:text=API%20keys%20provide%20project%20authorization,-To%20decide%20which&text=By%20identifying%20the%20calling%20project,or%20enabled%20in%20the%20API.

[benjamincanac]

Sorry it took so long to catch up, but the only use-case I see to use api tokens in nuxt is if it's used server-side as these tokens are private. However, as mentioned here #320 (comment), the module does not export server functions as of right now.

[jiblett1000]

No worries. I appreciate you bearing with me as I get up to speed myself :) What you're saying makes total sense. I think there might still be something of value here in terms of customizing the default behavior of the composables. Not in relation to api tokens, but rather maybe not passing the jwt to particular instances of useStrapi and useStrapiClient? Or maybe not, lol. It's super late here and I think my brain is giving up for the night. I'll close this PR for now and give it another think tomorrow. Thanks again!