gilded folio
Sending request from admin panel to /api/endpoint
What is correct way to make sure request is initiated by valid user and not some random hacker?
It is not custom endpoint created through payload config, just normal function to handle request
I inspected cookies, but there doesnt seem to be anything related to payload other than language preference
bronze sundialBOT
gilded folio
Tried to use useAuth hook, but it only has id, email, nothing about tokens or any other means of auth
How does custom endpoint defined in config magically create user from request?
gilded folio
So obviously server does something to incoming request. Some abstraction to conjure user object
But where does it come from?
If there is no data in original request, how does it identify which user sent it?
worldly ivy
Hi, If you were able to get user email from cookies isn't it enough proof that it's ordinary user?
gilded folio
It is not from cookies. I have no idea where it comes from, the only payload cookie is language preference. And surely nothing is attached to fetch request sent from admin panel
worldly ivy
if you looking in console Application/ cookies you see payload-token?
gilded folio
No, only payload-lng
gilded folio
I tried to fetch /api/users/me on server, from inside request handler. It returns user. No idea how it works and even if it works at all and not some temporary glitch
If it is correct way of doing this, is there alternative for local api instead?
gilded folio
I tried to fetch /api/users/me on server, from inside request handler. It return...
It stopped working. Now user in response is null
https://payloadcms.com/docs/authentication/overview this page explains how to generate api key.
But it is definitely not what I need here. I am 149% confident that custom endpoints dont use any api keys because they work when there are no api keys
So how does custom endpoint get user from request? How to implement it outside of custom endpoint?
Now I print cookies again and there is payload token
How does it even work?
Month ago there there was no token, but /api/users/me sent from server returned user
Now there is no user, but request has cookie
Alright, now I have token. How should I proceed with it? Without making api keys
So far I made it work like this
fetch(`${ENV.NEXT_PUBLIC_APP_URL}/api/users/me`, {
headers: {
cookie: `payload-token=${token}`,
},
})
But what is actual correct way? I dont want it to stop working month later again because I happened to apply some obscure deprecated workaround
gilded folio
Aaand there is something broken again. In production request to /api/users/me returns response where user is null, although it was sent from logged in user.
In local I cannot reproduce it, user is present
gilded folio
So far I made it work like this
```
fetch(`${ENV.NEXT_PUBLIC_APP_URL}/api/users/...
Even if it happened 2 weeks later instead of 1 month doesnt justify it