Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to request a token key when Authenticate user from a client app? #840

Closed
ronaldaug opened this Issue Aug 17, 2018 · 8 comments

Comments

Projects
None yet
3 participants
@ronaldaug
Copy link

ronaldaug commented Aug 17, 2018

https://getcockpit.com/documentation/api/cockpit
I read the documentation and it seems every "fetch" ajax request has to include a token key.
Form my experience with others API CMS, a user send a post request and a token key is returned.

Probably, something like this

$.ajax({
  type: 'POST',
  url: 'http://mydomain.com/api/auth',
  data: {
    username: 'john@johndoe.com',
    password: 'johndoe'
  },
  success: function(response) {
    console.log('User token', response.jwt);
  },
  error: function(error) {
    console.log('Error : ', error);
  }
});

Do I have to generate a new token key in backend panel manually?

Thanks in advance.

@ronaldaug ronaldaug changed the title How to request a token key when Authenticate user from client app? How to request a token key when Authenticate user from a client app? Aug 17, 2018

@raffaelj

This comment has been minimized.

Copy link
Contributor

raffaelj commented Aug 17, 2018

You could generate a new API-key and give it access to /api/cockpit/authUser.
Then send a post request with
{"token":"THENEWAPIKEY","user":"john@johndoe.com","password":"johndoe"}
to https://mydomain.com/api/cockpit/authUser.

Response:

{
    "user": "john@johndoe.com",
    "email": "john@johndoe.com",
    "group": "editors",
    "active": true,
    "i18n": "de",
    "api_key": "account-SECRETUSERTOKEN",
    "name": "John Doe",
    "_modified": 1532597353,
    "_created": 1528376290,
    "_id": "1234567abcdefgh123456789qw"
}
@ronaldaug

This comment has been minimized.

Copy link
Author

ronaldaug commented Aug 18, 2018

Thanks @raffaelj,
But this is similar to the documentation one, my question is requesting a token key with only username and password.

Let's say my client send a request to https://mydomain.com/api/cockpit/authUser
He must have a token key in his hand first, Right?

So basically it means I have to copy the token keys (manually) from backend panel
and give to my clients to let them send the requests?
What if a thousand of clients?

Do I miss something?

@raffaelj

This comment has been minimized.

Copy link
Contributor

raffaelj commented Aug 18, 2018

As I understood the code, an api key is necessary. But I'm not 100% sure and I expected, that it's possible with user credentials only before trying it out, too.

But if so, you can use the same key for all your clients. They call authUser with this key and in the next step their application can use the user api key "api_key": "account-SECRETUSERTOKEN".

If you don't want to give them a url and a key, give them just a url
https://mydomain.com/api/cockpit/authUser?token=TheNewApiKeyWithAccessToAuthUser.

And yes, it would feel cleaner without needing the key in the first place.

@aheinze

This comment has been minimized.

Copy link
Member

aheinze commented Aug 18, 2018

Create the following file /config/api/public/auth.php with the following code:

<?php

return  $this->invoke('Cockpit\\Controller\\RestApi', 'authUser');

now you can query /api/public/auth without a token ☝️

@raffaelj

This comment has been minimized.

Copy link
Contributor

raffaelj commented Aug 18, 2018

Another option would be, to allow all requests without an api key if the user credentials match... I copy-pasted a simple solution here: raffaelj@cd541c6

@aheinze

This comment has been minimized.

Copy link
Member

aheinze commented Aug 18, 2018

@raffaelj don't agree on this, therefore you should use the account api key

@raffaelj

This comment has been minimized.

Copy link
Contributor

raffaelj commented Aug 18, 2018

@aheinze OK, it was just a thought.

@ronaldaug

This comment has been minimized.

Copy link
Author

ronaldaug commented Aug 19, 2018

@aheinze @raffaelj
Thanks for your quick replies.
It works like a charm.
I love the fact that it's not necessary to inject the core codes.
❤️Cockpit

@ronaldaug ronaldaug closed this Aug 19, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.