Extract Auth ID from an input parameter

Options
Mike Akister
Mike Akister Member
in ? Security

I have a public endpoint that needs to return some initial data, however, if the User is Auth'd (required to make make the booking) it needs to return the initial data with the additional data from the booking specific to the Auth ID.

I would like to pass the Auth token via an input and extract the Auth details within a certain part of the function stack. But it seems that the only way to extract Auth ID is to enable Authentication for the entire endpoint. Is there anyway to extract the Auth ID from the authentication token within a function if it is passed as an input rather than in the header?

Tagged:
· Share on Twitter

Best Answer

  • Ray Deck
    Ray Deck Trusted Xano Expert ✭✭✭
    edited November 2022 Answer ✓
    Options

    Hey Mike! We did this in a State Change Pro office hours. The token itself is encrypted and only decrypted in the context of the authorization header preprocessor. Our solution was we had endpoint A receive the token as an input, and then called a second, internal-only endpoint, B, using that token in the Authorization header. The second endpoint had access to the contents (id and claims, if any).

    · Share on Twitter

Answers

  • Mike Akister
    Mike Akister Member
    Options

    Thank you @Ray Deck for the suggestion! This is working flawless now! I send two parameters to the unauthenticated endpoint, the leg_id and the auth token. I retrieve all the details that I need about the leg that are not behind authentication, and just set those that may have data from behind authentication to default values.

    Then I make the internal API request and pass the auth token in the header of that request and retrieve all the data behind authentication. I then update the results containing default values with the appropriate data from behind authentication. This is such a slick way to implement this, thanks again for the answer!

    Just a snapshot of the default values that then get updated with data

    Default values that are displayed regardless of authentication:

    Screenshot 2022-11-23 at 1.33.53 PM.png

    Values that are then overwritten if data exists behind authentication

    Screenshot 2022-11-23 at 1.34.34 PM.png

    I now only need one endpoint to populate this screen, which saved me building a screen for auth'd users and one for non- auth'd users.

    Screenshot 2022-11-23 at 1.39.49 PM.png


    · Share on Twitter
  • Adam Che
    Adam Che Member
    Options

    @Ray Deck and @Mike Akister
    Thanks for this, this is exactly what i was looking for.

    I tried this but im getting 403 error.

    When I call the private xano endpoint from within a public xano endpoint this is how I set up the auth header:

    Screen Shot 2023-09-14 at 9.58.51 PM.png

    I tried both encoded and not.

    The original call is coming from weweb, where I include the auth token in the "parent" public endpoint as

    Authorization: Bearer eyJ………


    What am I missing or doing wrong?

    Thanks in advance

    · Share on Twitter
  • Ray Deck
    Ray Deck Trusted Xano Expert ✭✭✭
    Options

    The key is not a base64 encoded version of the id. The key will be in the headers. You can get the env variable $http_headers and get the path Authorization to get "Bearer eyxeriojdfnernlkjsd…". That's what you then add to your Authorization: prefix for the secondary call.

    · Share on Twitter

Categories