Recently I created a topic of discussion on the better way to make a call to a service with authentication from the client (JS) https://community.elgg.org/discussion/view/2148088/better-way-to-call-a-webservice-api-method-from-client
I not found a better solution, so I made a change in web_services plugin for it to check if the request came from a logged in user . Thus I can make calls from my Angular controller without the need to inform an authentication token int the request.
The solution is in:
https://github.com/gcaldeira/Elgg/commit/1a5fc103afb0d7116d7bf67912c0e18a48fcf343
I would like to know the opinion of the other developers about this solution
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- Matt Beckett@Beck24
Matt Beckett - 0 likes
- ihayredinov@ihayredinov
ihayredinov - 0 likes
- Gustavo Caldeira@gucaldeira
Gustavo Caldeira - 0 likes
- Marco Predari@predo
Marco Predari - 0 likes
- Steve Clay@steve_clay
Steve Clay - 0 likes
You must log in to post replies.I think you may be confusing web services with regular ajax callbacks
I am not sure web-services are meant to originate from the same server, so there shouldn't be any shared sessions/cookies.
I can see however how this could be useful, when working with client side services. I think what you should do is implement another PAM handler that will check the origin of the request and the cookie (perhaps sign it with a HMAC key).
@Beck24 I just want to make a centralized entry point to use this both in client JS app an other externals apps...
@ihayredinov do you have an example that can help me?
Hi,
I am developing an angularjs client to login with elgg webservice. I think is a good idea because, if you need a custom client like me, and all the features of elgg, this is the simplest way you can do it, like a traditional REST client.
Here's the PR you made. Like I said, the cleaner way is to register the existing pam_auth_session() handler that the plugin already provides. As for why this shouldn't be used for production, I'm not sure. It doesn't seem like a security risk and it seems valuable to have 1 API for handling both webservice and ajax calls...