Token example
When you create a remote
, anyone who knows the path can access it and perform a request or action. However, it is often necessary to restrict this access to only trusted scripts.
The first and simplest method is a token.
In a POST
request, you pass "token" = "TOKEN_VALUE"
as one of the parameters and check it in the remote
code:
=: if(condition: $#post[token] = "TOKEN_VALUE"; then: $select)
select: select(table: 'table'; field: 'summ'; where: 'key' = $#post[key])
In this case, if an external server does not send the token
in the POST
request or sends an incorrect token
, it will not receive a response.
API users example
The second approach is a bit more complex but has an additional advantage.
The fact is that with the basic setup, if you have several different remotes, they are accessed via different url
.
Using API-user
allows you to send a request to a single address, specifying which remote it pertains to in the request body.
For this to work, we need to create a user with the API
attribute.
This API-user must be selected in the api_user
field in remotes
.
The request is made via POST
formatted as raw-data
to a single address http(s)://domain.zone/Json/
.
The request body contains a JSON
with an authorization section and a remotes
section:
{
"auth": {
"login": "json",
"password": "1111"
},
"remotes": [
{"name":"remote1", "data": {"var1": 1, "var2": [1,2,3]}},
{"name":"remote2", "data": {"var1": 2, "var2": [3,2,5]}}
]
}
Thus, several remotes can be called simultaneously. They will be executed in the order they are passed in the request.
When a remote call is made through the API-JSON
interface, the variables passed to the remote can be accessed in the $#data
variable!