HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

What is the API v2 good for?

bobloboblo New
edited June 2018 in General Banter

Hi. I'm reading through the docs for the new API.

Regarding the authorization process. What is the API good for if a user has to manually generate an access token?

General usage of the API looks very good, but I can't really use it as a JSON Api if I can't sign in my users programatically.

Is it just meant for admin usage?

Comments

  • First there is no such thing as being "signed in" in HTTP.

    HTTP is stateless. Without cookies nothing bridges the the request, sessions only exist in the context of the request from a browser that stores cookies.

    What is the use case?

    The API is suitable for server to server communication so user don't have to be signed in for you to do operation with the api. It would not be secure to do client to server communication with an access token.

    API is not for SSO, you can do SSO separately then use that as a basis for using a token server to server. It is up to you to to check they are allowed the information and capabilities you give them. Also not usually a good idea to forward cookies through proxy requests (without secure tunnelling which is generally used for these tasks), that is why you have token security.

    I can only guess why they provide user level user tokens, is to allow normal members to interact programatically with a site they don't own only on their permission level. If you have a super admin token you can do everything.

    However if you expose their own token in a browser/client script would not be good. It is not supposed to be shared publicly.

    I'm not sure why there isn't a warning attached. If you get the token of the super admin you will be able to do more stuff.

    If you are looking for a read only api which you can use client to server and uses the same controller used to browsing the site, there is an another API for that, that can work when they have a browser session, and you can use javascript.

    e.g.
    https://open.vanillaforums.com/profile.json

    for cross domain request you can use JSONP

    https://open.vanillaforums.com/profile.json?callback=yourCallbackFunction

    there are more options on what sort of data you receive an in what format..

    if there is a ajax request you can use information in the browser carefully as it may need it sanitised before being inserted in the DOM. If they are not logged in it will still return information, just at guest level.

    grep is your friend.

  • bobloboblo New
    edited June 2018

    Of course HTTP is stateless, I may have been sloppy with my description but by "sign in" I just meant getting the access token.

    If you have a super admin token you can do everything.

    Well I think that is not the case and actually my big problem, but correct me if I'm wrong:

    Let's say I have a server that works as a proxy between client and the vanilla backend. This server has a super admin token. But it can't for example create discussions on behalf of clients (with default permission) because the creator of the discussion will be the super admin user since ownership gets derived from the token in the authorization header.

  • you would need to user V1 with the UserID/SmartID.

    Or check the permissions with V2 which would be more work.

    Our API v1 will continue to be supported indefinitely and can be used alongside API v2. We strongly recommend developing new integrations on API v2 once it’s available. Of note, the new API will be JSON only and won’t include support for XML which was not widely used.

    I do see you point.

    grep is your friend.

  • V2 is good if you are supplying token to users for a third party app, so long as the token is not exposed. You need to give instructions to the user.

    grep is your friend.

  • x00x00 MVP
    edited June 2018

    you basically have 3 official APIs, and one APi app from when there was only read only out of the box. .

    grep is your friend.

  • x00x00 MVP
    edited June 2018

    scratch that.

    grep is your friend.

  • bobloboblo New
    edited June 2018

    Or check the permissions with V2 which would be more work.

    Even that wouldn't work since I have no additional parameter to specify the discussion creator even if the super admin user had the permission to create the discussion for the client.

    I think the only possible solution is to extend the API like described in this part of the docs adding an endpoint for (super admin) to generate a new token for a given username/id

  • yes you could do that. That would make more sense if you want everything following to be under their permissions.

    Since you can use v1 to specify the user you could also use that.
    https://docs.vanillaforums.com/api/smart-id/

    grep is your friend.

  • Since you can use v1 to specify the user you could also use that.
    https://docs.vanillaforums.com/api/smart-id/

    You mean I can use v1 smart id for v2?

  • no and I think you are limited to v2 anyway unless you are on the hosted solution, well you have kasper's api application which is old.

    what I would do hook early on in dispatch, but after the access token is checked on the api path, if there is a userid param then and if the permission is high enough start a new session using that user ID. Then in effect you will have the ability you want and there will be no need to add tokens, etc.

    To harden it you can check if the token user is the super admin therefore there is no chance of permission getting misconfigured.

    grep is your friend.

  • I am learning on this... :awesome:

Sign In or Register to comment.