#1 2021-11-19 19:49:37

radexpol
Member
From: Poland, Krk
Registered: 2019-11-29
Posts: 116

[SOA] Use methods as API user and logged user.

I would like to use one endpoint for logged users as well as API users (one time token). Let's say I have an endpoint:

type
  TVehicles = class(TInterfacedObject,IVehicles) 
     procedure GetVehicles(const outputVehicles: TArray<TVehiclesStruct>);
  end;

implementation

//pseudocode

procedure TVehicles.GetVehicles(const outputVehicles: TArray<TVehiclesStruct>);
begin
   //logged user ?
   if (var user := loggedUsers.findtoken(request.header.token)) then
      outputVehicles.add('select name, owner from vehicles where owner = user')
  else
  //maybe one-time request based on token key ?
  if (var token:= apiTokens.findtoken(request.header.token)) then
    outputVehicles.add('select name, owner from vehicles  '+
                             'join tokens where owner = token.owner '+
                             'and token =  context.token ');

  else raise Exception.Create('not authorized');
end;

implementation

ServiceDefine(TVehicles ,[IVehicles],sic????);

What are the best practices for such issue, creating the copy of each API endpoints does not seems to be nice solution.

//*********************************
type
    TVehiclesForUsers = class(TInterfacedObject,IVehiclesForUsers) 

implementation

ServiceDefine(TVehiclesForUsers, [IVehiclesForUsers], sicPerUser);
end;

//*********************************

type
     TVehiclesForTokenRequests = class(TInterfacedObject,IVehiclesForTokenRequests) 

implementation

ServiceDefine(TVehiclesForTokenRequests,[IVehiclesForTokenRequests], sicShared);
end;

//*********************************

I have a hundreds of methods, about 80% of them must be both - user accessible and token accessible and the output data depends on user or token privileges.

Last edited by radexpol (2021-11-19 19:53:16)

Offline

#2 2021-11-22 09:02:48

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: [SOA] Use methods as API user and logged user.

If you use the mORMot authentication, then you can specify which users run which method.

If you want to use a token, I would advice for using a JWT, and fill on the server side via TSQLRestServer.JWTForUnauthenticatedRequest.
The client should properly set the JWT in the standard auth-bearer HTTP header field.
Then you can retrieve the JWT information in TSQLRestServerURIContext.JWTContent.

Offline

#3 2022-10-18 19:48:48

radexpol
Member
From: Poland, Krk
Registered: 2019-11-29
Posts: 116

Re: [SOA] Use methods as API user and logged user.

How to access "TSQLRestServerURIContext.JWTContent" from GetVehicles method to vary response depend on data stored in JWT i.e. "userLevel"?

Offline

#4 2022-10-19 08:10:26

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: [SOA] Use methods as API user and logged user.

Offline

#5 2022-10-19 09:23:08

radexpol
Member
From: Poland, Krk
Registered: 2019-11-29
Posts: 116

Re: [SOA] Use methods as API user and logged user.

Perfect, thank you

Offline

Board footer

Powered by FluxBB