Saving the AuthO token to my own database using API's



  • I have an app that uses API’s to retrieve something from a database. These API’s are protected by AuthO, and I’d like to be able to pass the AuthO token or email address of the user logged in back to my API’s, so I can log it against any records that they create.

    Has anyone done this, or are there any good tutorials?



  • @NickBloodworth said in Saving the AuthO token to my own database using API's:

    …I’d like to be able to pass the AuthO token or email address of the user logged in back to my API’s, so I can log it against any records that they create.

    So, basically you just want to do a CSRF 🙂

    https://en.wikipedia.org/wiki/Cross-site_request_forgery

    I hope this first API is protected from such abuse.

    The way it should work is that your “API” should get credentials from original API on behalf of authorised user - not sneaked out from this user browsers session. The authorisation token (or something else) should be viewed and managed by original API and easily revoked when suspicion of abuse arise (automatic or manual). Look at how it’s done on github with external apps/plugins. It’s good implementation.



  • No, all I want is to be ble to post the currently logged in user email or token to my database, using my API



  • @NickBloodworth said in Saving the AuthO token to my own database using API's:

    No, all I want is to be ble to post the currently logged in user email or token to my database, using my API

    Well, I don’t have means to verify any of that, or if this original API allows this in its TOS or even if it is legal in your assumed iurisdiction.

    Honestly I’m not comfortable discussing such techniques - those are methods used to hack sites and steal user credentials.

    This question has nothing to do with quasar, I would argue, that it not belongs here ( @s-molinari ), maybe try this on stackoverflow and see what they can say to you?



  • First off, tokens are to avoid a database/ they should be stateless. If, however, you want to store a session, then you need a session system (with or without tokens).

    So, I believe any tutorial on how to work with tokens (assuming we are talking about JWTs), will help you understand what is necessary both from the app/ client side and the server side.

    Scott


Log in to reply