devot:eeDevoted to ExpressionEngine

Am I missing something or does every call really have to use username/password for entries to be assigned to the right user?

The site uses a lot of JS calls to data saved in EE (think AngularJS frontend). At the moment there’s a lot of complicated stuff needed to securely create entries, so the idea is to switch over the EntryAPI. But I can’t sem to find a way to have EntryAPI/Webservice use the details of the logged-in user.

Any suggestions?

Thanks,
Paul

Hi Paul,

You can set some api methods as “free” without login (http://reinos.nl/expressionengine/webservice/docs/the-settings) or you can use api_keys (http://reinos.nl/expressionengine/webservice/docs/api-keys)

best,
Rein

The problem is that allowing access without login means non-members can create channel entries.

And using membergroup API keys without username/password means that all entries are owned by one user seemingly randomly picked from within that group.

And using member API keys means anyone could easily hijack the system and gain access to creating entries as that member.

But what do you suggest for your project?

There should be some kind of token auth that doesn’t expose API credentials.

As it is now you can’t use Webservice in your JS app for write entries as it allows anyone to write to your DB since the creds are exposed in the JS. From what I can gather the way around it is to set up some sort of token and handshake.

https://stormpath.com/blog/secure-your-rest-api-right-way/

oauth1.0a looks to be the best method (according to the article).

Yes i know, but you could also use the api keys for now.

Best,
Rein

Key/secret are added in the EE3 version. http://docs.reinos.nl/webservice/#key-secret