XF 2.2 Authentication from a Node application

[ppissanetzky]

I'm working on a Node application that is on the same domain as our forum. I'd like to authenticate every request to this application against the forum, to ensure the calling user is valid and get user information. My application has access to all the XF cookies in every request.

What I'm doing now is grabbing the xf_session cookie from the incoming request and then calling the auth/from-session endpoint with a super user key (and no user id header) to authenticate the user and get the information. This is not very reliable. I do not include any other cookies from the incoming request in this API request.

Some incoming requests are missing the xf_session cookie - presumably because it has expired but include the xf_user cookie. I see that visiting the forum in that case, a new session is created.

So, my question is, how should I go about doing this? How can I authenticate every request and get the calling user's info?

 

[Mike]

The xf_user cookie is the remember_cookie parameter that auth/from-session takes. So the best way to handle this is to pass both the session cookie and remember cookie values into the endpoint. The code will look at the session ID first (if provided). If it doesn't resolve to a valid session, it will then look at the remember cookie to see if that points to a valid user. If neither work, it will return a failure (success=false).

 

[ppissanetzky]

Perfect, thank you. It was not obvious that xf_user is the remember cookie.