how can I check if a user is querying this through API and with a valid bearer token?

  • Gamers

    So, I created a custom plugin just to add a new URL "page" and its API endpoint like this.

    Plugin.load = function (params, callback) {
    
    	var router = params.router;
    	var middleware = params.middleware;
    
    	// Define the function that renders the custom route.
    	async function render(req, res, next) {
    
    		if ( ( req.user !== undefined && req.user !== null ) ) {
    
    			// Get whatever data you want to send to the template here.
    			var data = {
    				query: req.query,
    			};
    
    			// This is the path to your template without the .tpl, relative to the templates directory in plugin.json
    			var template = 'comments'
    
    			// Send the page to the user.
    			res.render(template, data);
    
    	   	} else {
    
    			next();
    			
    		}
    
    	}
    
    	// This actually creates the routes, you need two routes for every page.
    	// The first parameter is the actual path to your page.
    	router.get('/comments', middleware.buildHeader, render);
    	router.get('/api/comments', render);
    
    	callback();
    };
    

    When I do

    if ( ( req.user !== undefined && req.user !== null ) ) {
    

    I ensure that the user has to be logged in in order to see the page or API.

    But, how can I check if a user is querying this through API and with a valid bearer token?

  • GNU/Linux Admin

    @sebastián-cisneros you'll want to use the "setupPageRoute" helper instead of defining the routes in two lines like you've done.

    Check out how quickstart does it.

    As for the second question, you might be able to check res.locals.isAPI

  • Gamers

    @julian Thanks for your help.

    what quickstart ?

    also, the res.locals.isAPI its boolean, only tells me if the request is through API, but I still don't know how to check if the request token is valid. I only want to show this page, and the API endpont json output if the token is valid (just like almost all pages on nodebb do)

    again thanks for the quick reply on this matter.

  • GNU/Linux Admin

    @sebastián-cisneros GitHub.com/NodeBB/nodebb-plugin-quickstart

    I'm not certain offhand if there is a way to ensure that the call is only made via API bearer token...

    Right now the middleware.ensureLoggedIn (may be named something else... requireLoggedIn?) just checks that a valid user session is present.

  • GNU/Linux Admin

    @sebastián-cisneros any particular reason you don't want to allow those with a regular browser cookie to visit this page?

  • Gamers

    @julian maybe I wasn't clear. I'm cool with the logged in user to see this new custom page, as long as is logged in. The thing is that, I also need the API endpoint to be avialable for users logged in, or anyone that is not on a browser and querying this through API.

    Similar as how the nodebb read / write API does, you have the endpoints, you can see the jsons in the browser if you are logged in, or you can query this endpoints with POSTMAN for example, but you need to provide a token to authenticate the API call.

    My custom page API endpoint is public, and I need it not to be public. And I need to find a way that only loggedin users in the browser, or external call to the API authenticate throught tokens can see the json output.

  • GNU/Linux Admin

    @sebastián-cisneros Ah, then you'll just want to invoke middleware.ensureLoggedIn on that route.

  • Gamers

    @julian I will give it a try, Thanks so much.

Suggested Topics

| |