Webservice
ExpressionEngine 2, ExpressionEngine 3, ExpressionEngine 4
Back to this add-on's main page
View Other Add-ons From Rein de Vries
No session auth?
Feature (Resolved)
Paul vdW
|
Posted: 19 November 2014 12:34 PM |
|
|
|
Am I missing something or does every call really have to use username/password for entries to be assigned to the right user?
The site uses a lot of JS calls to data saved in EE (think AngularJS frontend). At the moment there’s a lot of complicated stuff needed to securely create entries, so the idea is to switch over the EntryAPI. But I can’t sem to find a way to have EntryAPI/Webservice use the details of the logged-in user.
Any suggestions?
Thanks,
Paul
|
|
|
Reinos
|
Posted: 19 November 2014 04:21 PM |
# 1
|
|
Developer
|
Hi Paul,
You can set some api methods as “free” without login (http://reinos.nl/expressionengine/webservice/docs/the-settings) or you can use api_keys (http://reinos.nl/expressionengine/webservice/docs/api-keys)
best,
Rein
|
|
|
Paul vdW
|
Posted: 20 November 2014 07:30 AM |
# 2
|
|
|
The problem is that allowing access without login means non-members can create channel entries.
And using membergroup API keys without username/password means that all entries are owned by one user seemingly randomly picked from within that group.
And using member API keys means anyone could easily hijack the system and gain access to creating entries as that member.
|
|
|
Reinos
|
Posted: 20 November 2014 03:39 PM |
# 3
|
|
Developer
|
But what do you suggest for your project?
|
|
|
ignitionint
|
Posted: 23 January 2015 04:49 PM |
# 4
|
|
|
There should be some kind of token auth that doesn’t expose API credentials.
|
|
|
ignitionint
|
Posted: 23 January 2015 05:02 PM |
# 5
|
|
|
As it is now you can’t use Webservice in your JS app for write entries as it allows anyone to write to your DB since the creds are exposed in the JS. From what I can gather the way around it is to set up some sort of token and handshake.
https://stormpath.com/blog/secure-your-rest-api-right-way/
oauth1.0a looks to be the best method (according to the article).
|
|
|
Reinos
|
Posted: 23 January 2015 06:16 PM |
# 6
|
|
Developer
|
Yes i know, but you could also use the api keys for now.
Best,
Rein
|
|
|
Reinos
|
Posted: 17 August 2016 04:15 PM |
# 7
|
|
Developer
|
Key/secret are added in the EE3 version. http://docs.reinos.nl/webservice/#key-secret
|
|
|