Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Password authentication, Kasper's API

edited December 2015 in Vanilla 2.0 - 2.8

"Does this work for native applications, non-web scenarios, or third-party products?No. jsConnect is purely a web-based SSO workflow for your existing login system. We have separate products for popular third-party platforms and non-web scenarios."

Hello. The above was culled from the official docs. I have created an android app for my forum with users authenticating with their usernames and emails.

The session based method( looks like a winner but it's web based.

Is there a way for them to login with username/email with their passwords perhaps by getting a json response token?

Much thanks.



  • Options
    hgtonighthgtonight ∞ · New Moderator

    Are you looking to only use the API?

    Or are you looking to load the existing views into your app?

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Options
    edited December 2015

    I'm using the API. Endpoints that require authentication require only a users


    The thing is, usernames and emails can easily be gotten. Basically, my question is how can I get endpoints that need authentication to require


    akin to the web based login?

    Attached is a screenshot of my login screen. Requiring username and email.

  • Options

    What you mean web based?

    If they can communicate by http they can log in.

    Is this a client app? if so then there is no need proxy the request. Just hold their session cookies. Send the credential to /entry/signin as normal http POST. Once they are logged in you can use the API.

    grep is your friend.

  • Options

    you can fetch the form with entry/signin?DeliveryType=VIEW with has the transient key included, you could include this in a browser object.

    if you change the action to entry/signin.json and make asymmetric to capture if the login is incorrect the you will get Code and Exception attributes. if you do get those you should be logged in.

    You can verify this with /profile.json

    This will only persist with session handling.

    However many of the html5 based app libraries effectively allow to over style web pages anyway, so you can have a normal login.

    grep is your friend.

  • Options

    @x00 much thanks for your assistance. Yes it is a client app (Cordova for Android to be exact).

    Are you saying I can post login credentials to 'entry/signin'? It's not one of the endpoints of the API...(

    The way many auth services work eg Facebook is once correct credentials are posted a token is sent to the client. This token is then sent along with future post/get request

  • Options
    x00x00 MVP
    edited December 2015

    You can use what every authentication you like. But it would very foolish to use the signature based method, which is for server to server. That would hand over full control.

    Kasper's API clearly mentions session authentication is for client <-> server communication.

    [quote]This method is in fact just the default Vanilla authentication. It is semi-stateless in the sense that when authenticating with the server, each client gets assigned a cookie which initiates a session. If a client accesses the API with a valid session, he or she can freely interface with Vanilla using the API, only restricted by their permissions.

    Should you wish to use the session based authentication method, you'll need to use one of the many SSO solutions available for Vanilla to authenticate users from within your application.[/quote]

    You can use one of the authentication methods like Google Plus, you still need session cookies.

    Cookies are not that different from tokens, in that they also get sent with each request. In fact it is one way of sending a token.

    cordova has:

    session ideas:

    Current versions may be supporting session without this workaround, you need to check.

    grep is your friend.

  • Options
    x00x00 MVP
    edited December 2015

    Are you doing

    client <-> api/vanilla


    client <-> server <-> api/vanilla

    As you could go token authentication with middleware that connects with some SSO. Personally I would use session based as less thing to go wrong, it is a ready solution, with is less overhead, you benefit from security updates.

    grep is your friend.

  • Options
    x00x00 MVP
    edited December 2015

    Also you could create a token based endpoint plugin for vanilla as an authentication method. I wouldn't though.

    grep is your friend.

Sign In or Register to comment.