diff options
author | Xavier Priour <xavier.priour@bubblyware.com> | 2015-12-17 23:57:28 +0100 |
---|---|---|
committer | Xavier Priour <xavier.priour@bubblyware.com> | 2015-12-17 23:57:28 +0100 |
commit | 115ea533f621dcc51543f131f05ea9276e9aabc5 (patch) | |
tree | 9dd9003f438d8937a8a74c0502c269fd61a27654 /models/export.js | |
parent | a45a899137b23f95c2f58025e3e06109bdf82a94 (diff) | |
download | wekan-115ea533f621dcc51543f131f05ea9276e9aabc5.tar.gz wekan-115ea533f621dcc51543f131f05ea9276e9aabc5.tar.bz2 wekan-115ea533f621dcc51543f131f05ea9276e9aabc5.zip |
Export: improved API routes
- use an explicit "boards" domain: /api/boards/:boardId
- pass authToken as a request parameter: /api/boards/:boardId?authToken=:token
- in the future, same route can be used with authToken set in the Authenticate: header easily
Diffstat (limited to 'models/export.js')
-rw-r--r-- | models/export.js | 33 |
1 files changed, 20 insertions, 13 deletions
diff --git a/models/export.js b/models/export.js index e250d935..3d8ee99e 100644 --- a/models/export.js +++ b/models/export.js @@ -1,29 +1,36 @@ /* global JsonRoutes */ if(Meteor.isServer) { // todo XXX once we have a real API in place, move that route there + // todo XXX also share the route definition between the client and the server + // so that we could use something like ApiRoutes.path('boards/export', boardId) + // on the client instead of copy/pasting the route path manually between the client and the server. /* * This route is used to export the board FROM THE APPLICATION. - * We want to identify the logged-in user without asking for password again, - * but the server-side API routing has no notion of "current user". - * So we have to pass login information (id + token) to authenticate. + * If user is already logged-in, pass loginToken as param "authToken": + * '/api/boards/:boardId?authToken=:token' * * See https://blog.kayla.com.au/server-side-route-authentication-in-meteor/ * for detailed explanations */ - JsonRoutes.add('get', '/api/b/:boardId/:userId/:loginToken', function (req, res) { - const { userId, loginToken, boardId } = req.params; - const hashToken = Accounts._hashLoginToken(loginToken); - const user = Meteor.users.findOne({ - _id: userId, - 'services.resume.loginTokens.hashedToken': hashToken, - }); + JsonRoutes.add('get', '/api/boards/:boardId', function (req, res) { + const boardId = req.params.boardId; + let user = null; + // todo XXX for real API, first look for token in Authentication: header + // then fallback to parameter + const loginToken = req.query.authToken; + if (loginToken) { + const hashToken = Accounts._hashLoginToken(loginToken); + user = Meteor.users.findOne({ + 'services.resume.loginTokens.hashedToken': hashToken, + }); + } const exporter = new Exporter(boardId); - if(user && exporter.canExport(user)) { + if(exporter.canExport(user)) { JsonRoutes.sendResult(res, 200, exporter.build()); } else { - // we could send an explicit error message, but on the other - // hand the only way to get there is by hacking the UI so... + // we could send an explicit error message, but on the other hand the only way to + // get there is by hacking the UI so let's keep it raw. JsonRoutes.sendResult(res, 403); } }); |