Plugin aware if REST call being made to API

I have a plugin that checks COOKIES to determine if a user is currently logged in to a 3rd party site (Moodle). If they are not logged in to Moodle I do a redirect to Moodle and force them to log in. This is a cheap and dirty way to link the two sites but it works for now.

However, my problem arises when I try to do a CURL call from Moodle to the Elgg API that I have exposed.

The COOKIE is not available and the redirect always happens nullifying my CURL call results. 

My question is: Is there a way for my plugin to know if it is a normal request or a request to the API?

  • Curious: Is your plugin verifying the cookies given to you by the browser? You should be reading the user id from the serialized session file/DB row in Moodle.

    I assume the Elgg API requires a valid Elgg session, so the user's browser would need to pass the Elgg cookie to you (Elgg would have to share domain w/ Moodle), and you would need to send that Elgg cookie in your backend request to Elgg, fooling Elgg into thinking the request is coming from the browser.

    You can also include a header like X-Client: MyPlugin and check for that header in your plugin to distinguish requests.

  • I think we have VERY simple question here. As I understand elgg wants user to be logged in on both services, so it tries to easily guess if there's moodle session in place or not, if not - redirects to moodle login page. So no safety problem at this point, and concern is simply by recognizing some elgg calls that shouldn't be redirected. In particular REST API calls from moodle (probably to implement SSO scheme).

    I'd suggest to register to trigger: elgg_trigger_plugin_hook('rest', 'init', null, false)
    Called only for REST API calls. This way you can mark API calls and check if your'e in rest call or not (probably on event, 'pagesetup', 'system') and do cookie check/redirection or not.

    Second topic would be safety of whole approach, but we don't know here the big picture, and it wasn't the actual question.

  • I am not too familiar with the Elgg platform as where most of my problems are coming from. Could you possible provide a little more information on how to approach registering a plugin hook only to trigger on an API call?

    Currently reading Plugin Hooks documentation but not sure if I will get all the relevant information I need from there.

    Thanks for your help.

  • ' normal request or a request to the API ' does not compute ! ;o( once you expose a function as a 'web service' - it should be invoked only via restful uri calls with the proper authenticators (assuming you are not exposing for public access) -- unless someone, plugin coder or you write some code to violate that intrinsic coding stds requirement! i think that your issue is with something else, some other area or,, you're simply misunderstanding what web services, soa resources & other artifacts are in the http situation... ;o) anyways.. examinign the uri and the parameter set can be used quite easily to deternine whether the access 'looks like' it is meant to be a rest call or something else.

     

     

  • Matt, you should find answer in Elgg documentation. In simple words, you have to register to plugin hook in a following way:

    elgg_register_plugin_hook('rest', 'init', 'your_function_name');, where in function named your_function_name you have to define eg. some session or global variable that says you're in API call. Later you have to just do checks against this variable.