How can I request only the entries that belong to the authenticated user at a given endpoint?

Ali_Hosseini · January 17, 2024, 6:28pm

SITUATION: In my strapi database, a User (default strapi user in collection types) has some data that belongs to it. These data are entries in different collection types and the ownership is specified via relations between the user that owns them, and the entry.

TASK: I’d like to be able to send a request to an endpoint and use a an Authentication header with a user’s jwt token as the bearer. I then want this endpoint to return with ONLY the data that belongs to the user whose JWT token was provided in the request header. In other words, the endpoint should return only the entries which have relationships with the user whose token I provide in the header. How can I achieve this?

STRAPI: v4.15.5
NODE: v18.13.0

PS. I have thought of many ways to this in the front end, or even add request only the data whose user’s id matches with mine. But I can imagine that doing it this way can cause many security concerns for later scaling my project. If anyone has any info about security in this manner, I am curious to find out.

Nikita_Zholkovskyi · February 13, 2024, 9:06am

Hi, have the same issue, did you figure it out?

Ali_Hosseini · March 5, 2024, 7:23pm

I did for a while, the new strapi update has somehow broken my fix however.
the solution was to create a controller:
async find(ctx) {
const authorizationHeader = ctx.headers.authorization;

if (!authorizationHeader) {
  return ctx.badRequest('Authorization header is required');
}
const [scheme, token] = authorizationHeader.split(' ');
const decodedToken = jwt.jwtDecode(token);

ctx.query = {
  filters: {
    user: {
      id: {
        $eq: decodedToken.id
      }
    }
  }
}

const { data, meta } = await super.find(ctx);
return { data, meta}

},

Keep in mind thatt this no longer works, I will get back here once I find what does work

Siddharth_J · April 16, 2024, 3:33pm

did you find something that worked for you?