plone.restapi icon indicating copy to clipboard operation
plone.restapi copied to clipboard
verified publisher icon plone

API responses do not include any information about the currently authenticated user

Open tisto opened this issue 8 years ago • 8 comments

Problem: When an auth token is expired on a front end app, there is currently no way to tell that the user needs to login again. Regular views that are not protected (e.g. portal root, any public content object) will always return HTTP 200 (with no content at all or just the content anonymous users are allowed to see). The only thing the front end app currently can do is accessing a protected resource and check the HTTP response (which is way to complex and time consuming to do on every single request).

A possible solution would be to include the authenticated user id (or "anonymous" in all responses). Maybe there are better options...

Opinions? @bloodbare @sneridagh @buchi @lukasgraf

tisto avatar Jan 03 '17 10:01 tisto

Proposal:

Include currentlyLoggedInUser attribute with a hypermedia link to the user and some basic information that is necessary to display the Plone user menu:

{
  'currentlyLoggedInUser': {
    '@id': 'http://localhost:8080/Plone/@users/tisto',
    'username': 'tisto',
    'fullname': 'Timo Stollenwerk'
  }
}

For unauthenticated users the currentlyLoggedInUser attribute is null:

{
  'currentlyLoggedInUser': null
}

tisto avatar Jan 08 '17 20:01 tisto

@tisto I would add the URL of the avatar too, or at least be able to parametrize the amount of information to be returned.

Should we also use camel cased attribute names or stick to snake_case?

sneridagh avatar Jan 09 '17 09:01 sneridagh

@sneridagh right, the avatar image link would be useful as well. Anything else I might have missed?

Regarding the attribute names we need to define a best practice. Camel case is considered best practice in the JS world. We have mixed camel case (Zope) and snake case (Python). So I guess there is no right/wrong answer to that question, just preferences that people might have.

tisto avatar Jan 09 '17 15:01 tisto

@tisto this would be added in responses to every GET request? Seems a bit verbose to me to be honest.

And I don't quite understand the use case, but I'm probably missing something: If you're authenticating using JWT, the client is in possession of the token, including the payload. And the token payload should contain the username, expiry date of the token as well as the full name. That was part of the rationale of using JWT for frontend applications, no? 😉

lukasgraf avatar Jan 09 '17 16:01 lukasgraf

@lukasgraf the use case is

a) we need to be able to tell if the user is authenticated for every single request b) we want to be able to show the information of the Plone user menu without an additional request

I will look into the JWT payload option and see if we can up with a proper solution to our problems.

tisto avatar Jan 10 '17 13:01 tisto

@tisto I see. I wouldn't mind this info, though I would probably have chosen something like authenticated_user for the attribute name (a bit more succinct, and I think we're using snake_case pretty much everywhere else)

lukasgraf avatar Jan 12 '17 17:01 lukasgraf

Hi all,

I know this is an old issue, but is there any update on this?

I am trying to get the currently authenticated user in a Plone site from another website (outside Plone) using the REST API, and I see that there is no method to get the current user (More in https://community.plone.org/t/how-to-know-if-user-is-currently-logged-in/20517).

Thank you

albavilanova avatar Jan 27 '25 11:01 albavilanova

@albavilanova No, in order for the REST API to recognize that there is a current user, the user needs to be authenticated in some way, and in order to authenticate to the API as a specific user, the client has to already know the user id.

davisagli avatar Jan 27 '25 18:01 davisagli