Manage customer access to Glue API resources

The Customer Access API allows storefront owners to prevent unauthorized (guest) users from accessing certain REST API resources. This capability is tied up to the Customer Access feature that allows you to restrict access to certain content items in Spryker Back Office.

The access to resources protected by the API depends on the setup of the (Customer Access)[/docs/pbc/all/customer-relationship-management/202410.0/base-shop/customer-access-feature-overview.hrml] feature. If a certain type of information is restricted to customer access only, all API resources associated with it are protected from unauthorized access. If the access is unrestricted, the respective resources are available to guest users as well. For example, if you restrict the can place an order functionality to customer access only, customers can check out an order only when authenticated. Alongside that, the associated API resources (checkout and checkout-data) are available only upon authentication. If you don’t restrict access, everyone can use the resources. In other words, you can prevent access only to the resources that belong to one of the Customer Access feature items.

This document shows how to map API resources to the Customer Access feature items.

To define the mapping of API resource types to content types, follow these steps:

1. Open or create file src/Pyz/Glue/CustomerAccessRestApi/CustomerAccessRestApiConfig.php.
2. The file contains the CustomerAccessRestApiConfig::CUSTOMER_ACCESS_CONTENT_TYPE_TO_RESOURCE_TYPE_MAPPING array, where each entry specifies a mapping of a Customer Access Feature item to the corresponding API resource type.

For example, in the following code block, an item can place an order is mapped to two resource types: checkout and checkout-data:

<?php

namespace Pyz/Glue/CustomerAccessRestApi;
...

class CustomerAccessRestApiConfig extends SprykerCustomerAccessRestApiConfig
{
    protected const CUSTOMER_ACCESS_CONTENT_TYPE_TO_RESOURCE_TYPE_MAPPING = [
        CustomerAccessConfig::CONTENT_TYPE_ORDER_PLACE_SUBMIT => [
            CheckoutRestApiConfig::RESOURCE_CHECKOUT,
            CheckoutRestApiConfig::RESOURCE_CHECKOUT_DATA,
        ],
    ];
}

Define the mapping of the resources you need.

For constants that represent the content item types, see file src/Spryker/Shared/CustomerAccess/CustomerAccessConfig.php.

For constants that represent API resource types, see configuration files of the corresponding APIs.

3. Save the file.
4. You can restrict access to the Customer Access feature items that are mapped to the REST API resources you want to protect. This is done in Spryker Back Office*. For detailed instructions, see Managing Customer Access.

<?php

namespace Pyz/Glue/CustomerAccessRestApi;

use Spryker/Glue/CheckoutRestApi/CheckoutRestApiConfig;
use Spryker/Glue/CartsRestApi/CartsRestApiConfig;
use Spryker/Glue/CustomerAccessRestApi/CustomerAccessRestApiConfig as SprykerCustomerAccessRestApiConfig;
use Spryker/Glue/ProductPricesRestApi/ProductPricesRestApiConfig;
use Spryker/Glue/WishlistsRestApi/WishlistsRestApiConfig;
use Spryker/Shared/CustomerAccess/CustomerAccessConfig;

class CustomerAccessRestApiConfig extends SprykerCustomerAccessRestApiConfig
{
    protected const CUSTOMER_ACCESS_CONTENT_TYPE_TO_RESOURCE_TYPE_MAPPING = [
        CustomerAccessConfig::CONTENT_TYPE_PRICE => [
            ProductPricesRestApiConfig::RESOURCE_ABSTRACT_PRODUCT_PRICES,
            ProductPricesRestApiConfig::RESOURCE_CONCRETE_PRODUCT_PRICES,
        ],
        CustomerAccessConfig::CONTENT_TYPE_ORDER_PLACE_SUBMIT => [
            CheckoutRestApiConfig::RESOURCE_CHECKOUT,
            CheckoutRestApiConfig::RESOURCE_CHECKOUT_DATA,
        ],
        CustomerAccessConfig::CONTENT_TYPE_ADD_TO_CART => [
            CartsRestApiConfig::RESOURCE_GUEST_CARTS_ITEMS,
        ],
        CustomerAccessConfig::CONTENT_TYPE_WISHLIST => [
            WishlistsRestApiConfig::RESOURCE_WISHLISTS,
            WishlistsRestApiConfig::RESOURCE_WISHLIST_ITEMS,
        ],
    ];
}