I’m writing a custom plugin where logged-in users can:
- login to to their GitHub account
- call a route to export some data as JSON
- push it to our project GitHub repository if they have access
I set up a public route for GitHub to send the authorization code once logged in, for example: /plugin/callback
The route needs to be public otherwise GitHub wouldn’t be able to send the token. With a controller I can store the token in the plugin’s content type, but without any user information because that’s not available in a public route.
This means that even though the authorization code is stored, the client can’t know which user it belongs to!
How can I deal with this?
- Can I access any user data from a controller attached to a public route? Just the email would be enough. I suspect the answer is no…
- I would be fine handling this entirely in the client, but GitHub can only callback to a public route so I can’t get the token to the client side of a private plugin page…
Thanks for any help!
This topic has been created from a Discord post (1214241003779784734) to give it more visibility.
It will be on Read-Only mode here.
Join the conversation on Discord
You can access whatever inside of controller
You don’t have an auth user, since there is no user
But if you pass some params along with payload you can use this easily
Thanks for your answer <@632956853122236457> !
You can access whatever inside of controller
That doesn’t seem to be the case for controllers that are handlers of a public route. For example:
// plugin/server/routes/index.js
module.exports = [{
method: 'GET',
path: '/action',
handler: 'example.action', // This controller can access whatever
},
{
method: 'GET',
path: '/callback',
handler: 'example.callback', // This controller can't access a lot of stuff
config: {
auth: false // This is what makes this route callable from the external authentication service (GitHub)
}
}]
// plugin/server/controllers/example.js
module.exports = ({ strapi }) => ({
action(ctx) {
console.log(ctx.state.user) // returns user data
},
callback(ctx) {
console.log(ctx.state.user) // is null
}
})
But if you pass data along with token you can use this easily
Since GitHub is in charge of redirecting to /callback, I’m not sure how I could pass data along with the token.
I ended up solving this by creating a global middleware to intercept the request from GitHub, masking the request was going to a page rather than a route (not fully sure why this is necessary, but it seems to be), and redirect to the plugin homepage with the token in the URL query. I am not sure this is the best answer, but it seems to do the job.
strapi.server.use(async (ctx, next) => {
// intercept the request to the callback route
if (ctx.req.url.startsWith('/my-plugin/callback')){
const {code} = ctx.query; // store the query
ctx.request.url = "/admin"; // adjust the request to make it seem like it's going to a page instead of a route
ctx.redirect(`/admin/plugins/my-plugin?code=${code}`) // redirect and pass the code
}
await next()
})
You don’t have ctx.user cause it’s undefined
But you can do strapi.db.query(‘plugin::user-permissions.user’).findOne({where: … })