REMINDER
Protect API from calls outside of the private area
-
Hi there,
how can I make sure that an API can only get called after the user has succesfully logged into the private area.
I know how to protect the html pages, but I'm not yet sure what the best approach is for the API functions.
Thanks in advance!
-
Hi,
What do you call the private area?
-
An area/web pages the user has access to after loggin in.
The private pages then all have the following additional bit of Javascript to protect these pages from direct access without having logged in first:
<script> //Wait for jquery to load before executing code addEventListener('JqueryLoaded', function(e) { var readEmail = sessionStorage.getItem('email'); var readToken = sessionStorage.getItem('token'); if (readEmail == "" || readEmail == null || readToken == "" || readToken == null) { window.location.href = 'login.html'; } }, false); </script>Now I also want to protect the API functions from being accessed by anybody what has not successfully logged into the private area ...
-
Hi @Dick-Honing and @ec-Organizer,
It looks like you already have a token system for authentication.
A solution is to send that token along with every API call from the front-end.
Then, in your API functions, you 'check' the token before running the actual function/returning any data.
Something in Node.js might look like:
if (tokenIsValid(event.POST.token) === false) { callback(null, {status: "NOT AUTH"}); // handle this error on the client side return // stop code execution } // Then continue with your normal function code heretokenIsValid, in this example, would check the token against the user database to ensure the token was valid.
-
@Daniel-Mulroy Hi Daniel, thanks! And sorry about the Dick Honing / ecOrganizer confusion. I created a second account to test the sharing settings before handing handing it over to third parties and somehow this account got stuck in Safari ...
Btw: can I contact you backchannel / via email?
