I saw there’s many built-in feature and APIs, such as chat, save/load data.
I would like to know if it’s possible to hook those API to custom Typescript code.
For example, some user send a chat message, our custom code intercept it, and do some custom validation to decide if it should be executed.
Furthermore, or can I disable all the built-in API for clients, and only open RPC custom API to clients?
The same example, some user send a custom RCP request to chat, do some custom validation, and if ok we call built-in chat API for him on servers.
Just wanna confirm how much access control is available?
You cannot disable the APIs (see @zyro’s response below), you should can use the before hooks to add custom logic to the authentication endpoints if you wish to have custom access control logic.
If I cannot disable the APIs by default, then a client may be able to abuse the built-in APIs like write objects.
Will it be a potential secure issue because all clients should be treated as untrusted ones?
Objects created via the REST API will always be owned by the authenticated user and you can set if other players have read access to his data by setting the read permissions accordingly.
@joappdev On top of the built-in controls that @sesposito mentioned you can also create an “API guard” pattern to disable APIs you don’t want clients to directly have access to.
Just register a before hook on the function call you wish to disable, and instead of returning the request input and letting the server continue processing just return nil - the server knows to handle this exact scenario as a disabled API call.
For example in this docs snippet you could return nil instead of return payload and the API call would not proceed.