Forum Discussion

kc's avatar
kc
Ace
12 years ago

Passing session key to end point

We're trying to pass the session key as query parameters to end points and accomplish similar authentication/authorization check as REST API call with 'restapi.session_key'. I'm looking for any 'rest()' or  'restadmin()' Freemarker support to verify session key and execute the rest of end point logic under that verified session.

  • Hey kc,

    Endpoints should automatically pass the session_key if you pass it to the endpoint.

    Just create your endpoint using rest() as usual, and then pass the session key via restapi.session_key query parameter.

    Hope this helps,

    Yuri
  • By default, the custom endpoint will execute any code and make any rest calls as the 'current user'. So the endpoint should only have permissions to do what the 'current user' can do.

     

    Lithium picks up the 'current user' from the session cookie, or from the 'restapi.session_key' parameter if specified.

     

    If an already logged in user navigates directly to the custom endpoint (in the browser) they will automatically be authenticated (as the browser will automatically send the session cookie when it sends the request to the custom endpoint).

     

    If you are calling the endpoint from a JavaScript application hosted on the same root domain, you can get JavaScript to include the Lithium session cookie in its request by specifying the 'use credentials' parameter in the AJAX call. This only works if the user is already logged in.

     

    If you are making a call to the custom endpoint from within an external application, you will need to specify the 'restapi.session_key' parameter (the value of which you obtain through a separete call to the authentication method).

2 Replies

  • YuriK's avatar
    YuriK
    Khoros Expert
    12 years ago
    Hey kc,

    Endpoints should automatically pass the session_key if you pass it to the endpoint.

    Just create your endpoint using rest() as usual, and then pass the session key via restapi.session_key query parameter.

    Hope this helps,

    Yuri
  • By default, the custom endpoint will execute any code and make any rest calls as the 'current user'. So the endpoint should only have permissions to do what the 'current user' can do.

     

    Lithium picks up the 'current user' from the session cookie, or from the 'restapi.session_key' parameter if specified.

     

    If an already logged in user navigates directly to the custom endpoint (in the browser) they will automatically be authenticated (as the browser will automatically send the session cookie when it sends the request to the custom endpoint).

     

    If you are calling the endpoint from a JavaScript application hosted on the same root domain, you can get JavaScript to include the Lithium session cookie in its request by specifying the 'use credentials' parameter in the AJAX call. This only works if the user is already logged in.

     

    If you are making a call to the custom endpoint from within an external application, you will need to specify the 'restapi.session_key' parameter (the value of which you obtain through a separete call to the authentication method).