HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
What is the API v2 good for?
boblo
New
Hi. I'm reading through the docs for the new API.
Regarding the authorization process. What is the API good for if a user has to manually generate an access token?
General usage of the API looks very good, but I can't really use it as a JSON Api if I can't sign in my users programatically.
Is it just meant for admin usage?
0
Comments
First there is no such thing as being "signed in" in HTTP.
HTTP is stateless. Without cookies nothing bridges the the request, sessions only exist in the context of the request from a browser that stores cookies.
What is the use case?
The API is suitable for server to server communication so user don't have to be signed in for you to do operation with the api. It would not be secure to do client to server communication with an access token.
API is not for SSO, you can do SSO separately then use that as a basis for using a token server to server. It is up to you to to check they are allowed the information and capabilities you give them. Also not usually a good idea to forward cookies through proxy requests (without secure tunnelling which is generally used for these tasks), that is why you have token security.
I can only guess why they provide user level user tokens, is to allow normal members to interact programatically with a site they don't own only on their permission level. If you have a super admin token you can do everything.
However if you expose their own token in a browser/client script would not be good. It is not supposed to be shared publicly.
I'm not sure why there isn't a warning attached. If you get the token of the super admin you will be able to do more stuff.
If you are looking for a read only api which you can use client to server and uses the same controller used to browsing the site, there is an another API for that, that can work when they have a browser session, and you can use javascript.
e.g.
https://open.vanillaforums.com/profile.json
for cross domain request you can use JSONP
https://open.vanillaforums.com/profile.json?callback=yourCallbackFunction
there are more options on what sort of data you receive an in what format..
if there is a ajax request you can use information in the browser carefully as it may need it sanitised before being inserted in the DOM. If they are not logged in it will still return information, just at guest level.
grep is your friend.
Of course HTTP is stateless, I may have been sloppy with my description but by "sign in" I just meant getting the access token.
Well I think that is not the case and actually my big problem, but correct me if I'm wrong:
Let's say I have a server that works as a proxy between client and the vanilla backend. This server has a super admin token. But it can't for example create discussions on behalf of clients (with default permission) because the creator of the discussion will be the super admin user since ownership gets derived from the token in the authorization header.
you would need to user V1 with the UserID/SmartID.
Or check the permissions with V2 which would be more work.
I do see you point.
grep is your friend.
V2 is good if you are supplying token to users for a third party app, so long as the token is not exposed. You need to give instructions to the user.
grep is your friend.
you basically have 3 official APIs, and one APi app from when there was only read only out of the box. .
grep is your friend.
scratch that.
grep is your friend.
Even that wouldn't work since I have no additional parameter to specify the discussion creator even if the super admin user had the permission to create the discussion for the client.
I think the only possible solution is to extend the API like described in this part of the docs adding an endpoint for (super admin) to generate a new token for a given username/id
yes you could do that. That would make more sense if you want everything following to be under their permissions.
Since you can use v1 to specify the user you could also use that.
https://docs.vanillaforums.com/api/smart-id/
grep is your friend.
You mean I can use v1 smart id for v2?
no and I think you are limited to v2 anyway unless you are on the hosted solution, well you have kasper's api application which is old.
what I would do hook early on in dispatch, but after the access token is checked on the api path, if there is a userid param then and if the permission is high enough start a new session using that user ID. Then in effect you will have the ability you want and there will be no need to add tokens, etc.
To harden it you can check if the token user is the super admin therefore there is no chance of permission getting misconfigured.
grep is your friend.
I am learning on this...