⟵ hearthere ⟶

Authorization in remotes

Set bookmark

Token example

When you create a remote, anyone who knows the path can access it and perform a request or action. However, it is often necessary to restrict this access to only trusted scripts.

The first and simplest method is a token.

In a POST request, you pass "token" = "TOKEN_VALUE" as one of the parameters and check it in the remote code:


=:
if(condition: $#post[token] = "TOKEN_VALUE"; then: $select) select: select(table: 'table'; field: 'summ'; where: 'key' = $#post[key])

In this case, if an external server does not send the token in the POST request or sends an incorrect token, it will not receive a response.

API users example

The second approach is a bit more complex but has an additional advantage.

The fact is that with the basic setup, if you have several different remotes, they are accessed via different url.

Using API-user allows you to send a request to a single address, specifying which remote it pertains to in the request body.

  1. For this to work, we need to create a user with the API attribute.

  2. This API-user must be selected in the api_user field in remotes.

  3. The request is made via POST formatted as raw-data to a single address http(s)://domain.zone/Json/.

The request body contains a JSON with an authorization section and a remotes section:

{
"auth": {
    "login": "json",
    "password": "1111"
  },
"remotes": [
    {"name":"remote1", "data": {"var1": 1, "var2": [1,2,3]}},
    {"name":"remote2", "data": {"var1": 2, "var2": [3,2,5]}}
  ]
}

Thus, several remotes can be called simultaneously. They will be executed in the order they are passed in the request.

When a remote call is made through the API-JSON interface, the variables passed to the remote can be accessed in the $#data variable!