Force rest v2 API calls in an endpoint to be anonymous

Question

Does anyone know if there is a way to execute REST v2 API calls from within an Endpoint as an anonymous user?

I am trying to build a module hosted on an external site, that uses an endpoint to fetch data from the community. The endpoint will be called from the browser via Ajax, and the risk I have identified is that the users lithium session cookies will be passed to the endpoint if a usrr browsing the external site is also logged into the community. We want to prevent this from happening as different users may see different data, depending on their permissions.

Is there a way to force api calls to execute under an anonymous user?

nathan · Answer

Here's one solution that might work:1. Create a special non-SSO user that has the same permissions as an anonymous user.&nbsp;2. In your JavaScript widget, make a call to the API login method with this users credentials (they'll have to be hard coded in your JavaScript) to get an authentication token for that user:https://community.lithium.com/t5/Community-API/bd-p/developers-rest-api?leaf-id=AuthenticationManager.sessions.login#AuthenticationManager.sessions.login&nbsp;3. Use the authentication token in subsequent API calls.&nbsp;I've just tried doing this manually on a browser that was logged in, and it seems to work (i.e. it treats you as the special user, not your normal user, even if you were previously logged in).&nbsp;If you do use this approach, be aware that the username and password for your anonymous user will be visible to anyone visiting the site, and any metrics from the API calls will be associated with that single user.

paolot · Answer

Hi grahamgatus&nbsp;
&nbsp;
out of curiosity, why this behavior is identifier as a risk? I would normally say that in this situation, this is the desired behavior. If a user is logged in in their browser, they should be able to see data that is avaialble to their account.
&nbsp;
Thanks,

grahamgatus · Answer

&nbsp;I am trying to compare a few alternatives to fetching content from Lithum, one using the browser to make API calls (which get to take advantage of any session cookies that logged in users may have for the cross domain AJAX requests back into Lithium), and the other making REST calls from the server, which will be unauthenticated at this point in time.&nbsp;If we had a variety of modules deployed onto our site that talk to Lithium, some making direct browser calls and some calling Lithium from the server, there may be differences in returned content for logged in and non logged in users.&nbsp;I am trying to assess what would be the best options. At this point, as you suggest, it is probably a better experience to pass through the session cookie.

Forum Discussion

Force rest v2 API calls in an endpoint to be anonymous

Related Content

Force/trigger a SASS precompile at Stage?

Unable to invoke a custom endpoint from another custom endpoint

Possible to disallow API calls by anonymous users?

how to make implement endpoint with ajax?

Set HTTP response code on custom endpoint

Recent Discussions

Boosting a User

Google Tag Manager and Google Analytics Setup in Aurora platform

In Aurora, add additional <script> and <meta> tags

Incremental data for attachments in messages and replies

Incremental data for users data