General
CRSF
The server will start to generate a random crsf token for each request. The token is provided in the domain specific cookie, and does not require any specific changes from the templates. The feature will be handled automatically by the server.
Access tokens
Note that the access tokens feature is a work in process feature and will likely have changes going forward.
Access tokens features allows data to be protected using special user defined tokens with api’s that support it.
The update will have 2 separate processes
- Regular session handling where access tokens will be taken from user record
- B2b session handling where access tokens will be taken from the logged in customer record
Initial version will be looking for the tokens on the record attributes. Expected name syntax on the records is:
access_token-{api}-{optional id value}
- The {api} part can either contain the value of ‘all’ where it will be used for every api call or a specific name according to goerp api names (ex: KvsApi) where it will only be sent to that specific api.
- The optional -{optional id value} end value can just be used to identify separate tokens
<!-- Examples of attribute names -->
access_token-ServiceApi-x2
access_token-KvsApi-x
access_token-all-x
The attributes need to be of the type string, and the value of it is the token.
Goerp will automatically parse all keys that match this syntax and send all of them to the api call headers.
Automatic and manual steps
This process will be done automatically for GET requests only, for POST, PUT, PATCH and DELETE the developer needs to make the app add the appropriate token to the accessToke header.
For get requests all the found tokens will be sent, if you want to send a specific token then you need to manually set the accessToken header to the request. For all other types the accessToken header needs to be passed as a header parameter.
Reading current access tokens
Access tokens are stored in the session object (for both the regular and b2b user).
We can attempt to get the tokens directly by a lowercase goerp api name. Note that this is an array and needs to be converted to a valid string (comma separated string) if using for an api request.
{{ .Session.AccessTokens.ApiTokens.serviceapi }}
We can also access named tokens by the name (the name in this case is the third part of the attribute access_token-ServiceApi-{name}). Same as with the api token the result is an array as it contains all attributes with that name.
<!-- access_token-ServiceApi-x2 -->
{{ .Session.AccessTokens.NamedTokens.x2 }}}
We can use helpers to get a valid header value (comma separated string when multiple)
GetForApi
Return all tokens for an api as a comma separated string. Note that the input name is not case-sensitive.
{{ .Session.AccessTokens.GetForApi "all" }}
{{ .Session.AccessTokens.GetForApi "serviceapi" }}
GetByName
Return all tokens that match the unique name (third part of the attributes).
<!-- access_token-ServiceApi-x2 -->
{{ .Session.AccessTokens.GetByName "x2" }}