Recently I wrote about mocking auth in CAP for a rapid local-first development loop that allows you to embrace auth design rather than defer it to later. In development mode, unless otherwise stated (i.e. unless you add appropriate annotations such as @readonly, @requires or @restrict), all resources are accessible to everyone, even without authenticating. This is appropriate and fitting, helping to facilitate the tight feedback loop that folks love when developing with CAP. What about production? Is it the same there, i.e. do we have to ensure we lock down access before moving to production? Of course not. Here's how things work. Default auth settings for development In development mode, the default auth strategy is "mocked", as we can see: ; cds env requires.auth { restrict_all_services: false, kind: 'mocked', users: { alice: { tenant: 't1', roles: [ 'admin' ] }, bob: { tenant: 't1', roles: [ 'cds.ExtensionDeveloper' ] }, carol: { tenant: 't1', roles: [ 'admin',…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.