Forum Discussion

luk's avatar
luk
Boss
6 months ago

What is FreeMarker user.generateLinkUserToken(<string>)?

user.generateLinkUserToken(<string>) is a not documented method on the custom global user context object the FreeMarker implementation of Khoros provides.

calling it with any string argument returns a token like "A7bd_xYIOp6xn6A9dt42rpGqfVDnczYuSKDblZ42ewHydRTKqCE5iluHu_7P0QTdxIU47Mq8t7eGNrN7GbUzLpkKcaNPNI5osNHfgsw0ihY-I6q0XKkHJa_EN_Rh9FmHZRb1WfjE8KxWqvTm9Y4n33B7H4RTStTa3fgty_mn2sMw5fyGE-uJhG5ZUy5UcTjSB7j_wAH1rr9wb2WUtqwMPygZa6pBtD3qV5fm44KfQ4wCIT9s3ymrdP5FVt4iwswPxaQAQS-rsCdmjAPnAQbnuZfGQXQZXsJnv1cMF_DicpY3lk"

but the question is, what is it useful for (for example generating lia-action-token which are used for oob Khoros form submissions) and what is the string argument supposed to be?

I have a feeling only Khoros devs might be able to answer this question, therefore tagging LarryI so you can forward this to the appropriate person.

  • MattV's avatar
    MattV
    Khoros Staff

    That is used by OOB components to prevent CSRF attacks (e.g. tricking a user to click on a url to perform an action they didn't intend to).

    I believe the way this works on the backend, that token is included on links that are considered to be privileged (e.g. giving kudos), and it is checked on the server that it is the same value that is expected. 

    So the only way it would be useful in freemarker, is if you could verify the value. 

    Alternatively, what we do in Professional Services, is create our own random value, and store it in the user cache. We use that value on URLs that will typically call a custom endpoint. In that custom endpoint, we verify the value being sent with the one in the user cache.

  • MattV thank you for the quick reply here!

    I believe the way this works on the backend, that token is included on links that are considered to be privileged (e.g. giving kudos), and it is checked on the server that it is the same value that is expected.

    regarding this: Just to be clear, those are the hidden lia-action-token inputs commonly found on OOB forms? This came to mind because those have often been a culprit when trying to reproduce OOB features in custom components, let's say some kind of OOB form or OOB dropdown menus etc. Concrete example is when we are creating custom topic list views, OOB there is a feature for admins to batch process topics, but we always have to create some ugly workaround to provide an admin view that loads the original OOB component because we can't create a dropdown item to activate batch processing due to it being linked with a lia-action-token. The same then goes for handling batch processed items, OOB the added checkboxes are also linked to a lia-action-token.

    If I could use that method to create the token that is found in those hidden inputs, it would allow me to re-create this kind of OOB functionality if the need arises. So it would be valuable to know if that method would generate these kind of tokens.

    And if that is the case, the follow up question would be with what kind of string this method would need to be called with to create a valid token the server is going to accept when receiving the payload?

    • MattV's avatar
      MattV
      Khoros Staff

      I dug into core code a bit to see where that is used, and it looks like it was included so it could be used in email templates. The only place it's used is in email templates for the reset password link. 

      It doesn't seem like it will be very useful in Freemarker, but you could try replicating OOB behavior by formulating the link the way it is on the OOB component, and see if it works.

      • luk's avatar
        luk
        Boss

        MattV there is actually a specific method to get a password reset token also on the user object, it's called generateResetPasswordToken(), but it seems different from generateLinkUserToken() or is it an alias?

        I'll try and experiment a bit if I find time and report back...