Navigation

    APPDRAG Community

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Popular

    REMINDER

    Please be respectful of all AppDragers! Keep it really civil so that we can make the AppDrag community of builders as embracing, positive and inspiring as possible.

    Pass current Appdrag admin user name to API?

    Cloud Backend (Cloud DB, API Builder)
    3
    11
    2229
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      ThomasD last edited by

      Any way to do this? (So we can track who made changes)

      1 Reply Last reply Reply Quote 0
      • Wassim
        Wassim last edited by

        Hello, In which context do you execute your API calls? I need that detail to know how you could achieve that.

        T 1 Reply Last reply Reply Quote 0
        • T
          ThomasD @Wassim last edited by

          @wassim

          I'm assuming, via custom admin button (Configure left menu).

          A while back (old chat) you mentioned that when using custom menu, that the current user tokens are submitted to the URL? I asked for docs but never heard back.

          1 Reply Last reply Reply Quote 0
          • Wassim
            Wassim last edited by

            Oh I see, let me discuss it internally about what we can expose and provide in the documentation (it's added to my notes with the link of this post to give updates)

            T 1 Reply Last reply Reply Quote 1
            • T
              ThomasD @Wassim last edited by ThomasD

              @wassim

              Thanks, appreciated.

              I think the safest way to do it is like I described in the other thread.

              1 Reply Last reply Reply Quote 0
              • Wassim
                Wassim last edited by

                You're welcome, yes and as you have the user token you might call AppDrag API to get user information (will see if we provide another way and/or expose this API call)

                T 1 Reply Last reply Reply Quote 1
                • T
                  ThomasD @Wassim last edited by

                  @wassim Super! Can't wait 🙂

                  1 Reply Last reply Reply Quote 0
                  • Wassim
                    Wassim last edited by

                    @ThomasD I wrote a support article on how to create custom admin interfaces and I added an example on Authentication with the user token and AppDrag API.

                    https://support.appdrag.site/blog/84-Create-integrated-custom-dashboard---admin-interfaces.html?category=15

                    T 1 Reply Last reply Reply Quote 0
                    • T
                      ThomasD @Wassim last edited by

                      @wassim

                      Thanks, I had hoped for something properly secure, but it will do.

                      Passing security tokens in the URL also means that it would be stored in customers bookmarks and the ISP and DNS provider will have access to the token.

                      1 Reply Last reply Reply Quote 1
                      • Joseph Benguira
                        Joseph Benguira last edited by

                        @ThomasD: Since we are using SSL, the url parameters are NOT visible for a Man-In-The-Middle attack, nor for your ISP, VPN or DNS provider ...

                        https://stackoverflow.com/questions/499591/are-https-urls-encrypted

                        So no, it's not a security risk or a lower security to do it that way in this context 😉

                        T 1 Reply Last reply Reply Quote 0
                        • T
                          ThomasD @Joseph Benguira last edited by

                          @Joseph-Benguira

                          Yeah, in the recent versions of TLS it does encrypt it fully. However, DNS might leak it since encrypted DNS resolution isn't that much of a standard yet. And browsers will still save the token in browser history.

                          If it's overkill to encrypt it properly, maybe, but it's an additional protection against 3rd party attacks, since no one can just take the token (from a browser) and send it without the shared secret.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post