Hi there,
I’m currently working on an OSX app that makes HTTP requests to EE in order to manage EE data.
I have an add-on that handles specific HTTP requests (using URLs like /system/index.php?/cp/addons/settings/my_addon/list_all), but to have access to that URL, the app needs to automatically login to EE first.
For now, the app is just getting the CP login page, picking out the form action URL and csrf_token hidden field from HTML and try to login using that data. After that it checks cookies and redirection URL for a session ID and use that later to do API calls to an add-on.
But it’s hacky, and I had bugs with redirection after logging in or when logging in fails. Plus it needs to be compatible with EE2 and I remember that EE2 had some URL changes around 2.8 if my memory is correct.
I was wondering if I could create an add-on that could simplify that by offering API endpoints :
GET /my_addon/tkn to retrieve a CSRF token
POST /my_addon/login to actually try to login by sending a csrf token data, username and password;
GET /my_addon/logout to logout from the site
What would be the best way to do that ? I think my question is more, how can I do that the safest way possible ? I don’t want to create a security whole, it’s my biggest concern.
Thanks !
Ah ok. Is the CP URL used for anything else other than to point to your API backend? If not, could you just have them put in the ACT URL like folks do when they want to use the Metaweblog API in something like MarsEdit? I’m just trying to understand the motivation for the more complicated approach.
I use the CP URL only for API calls, nothing else.
I just want it to be really easy for the user to use. To me, having to enter only CP URL, login and password is the simplest I could do. Then the app would just have to login and the app would know each API URLs.
I just realized that an ACT URL would be ok. It would be the main entry point to the API. mywebsite.com/?ACT=42&action=login mywebsite.com/?ACT=42&action=get_list Or maybe POST queries ?
Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.