According to this article, (https://yourdomain.softr.app/v1/api/users/validate-token) is used to validate tokens, but we can’t figure out what to replace it with. Using either the softr subdomain or the custom domain we have in place, results in 404 or other errors. Any advice?
I was going to make fun of Jakob for not knowing how to DM. But I can’t figure it out either… @artur?
@Jakob and @kandujeremy ok found the issue. I think you folks are performing GET requests instead of POST requests
Ahh. Probably LOL. I’ll try again with POST!! I just assumed the 404 meant I had the wrong address. Should it be admin.yeskandu.com.softr.app/v1/api/users/validate-token then?
By the way, I don’t have a “message” button when I click like you did.
I will check the message button to see if there are any restrictions.
Re URL, use this admin.yeskandu.com/v1/api/users/validate-token
I know it’s not you, it’s me. I’m the problem… haha
I get a 400 error no matter what I try.
(the -Body parameter in invoke-webrequest is a string passed the same as “data-raw” according to docs.)
EDIT: okay, so I switched all my ’ and " around and added UseBasicParsing and I get a 200 with no data back… reading docs to see if that is expected for a valid token…
EDIT2: the response seems to be “true”. I need something like… logged in user email though…
JSON parse error: Unexpected character (''' (code 39)): was expecting double-quote to start field name; nested exception is com.fasterxml.jackson.core.JsonParseException: Unexpected character (''' (code 39)): was expecting double-quote to start field name
use " instead of ' for JSON and it should work
I’ve almost got it. But I only get a true or false. Can I decode the token *myself with an API key and secret or some such magik?
My issue: we’re generating a signed link for a user to get to third-party sensitive info. The third party gives us key and secret, we make a signed jwt with that and the user’s email address, the third party uses that to generate a link, we pass the link back to the client. We want to validate that the user is actually logged in on softr, but we’re getting email from the browser via loggedInUser. As it stands with just a true/false from validate-token, the user could send a valid token with another user’s email address and we would get a true on the softr jwt and then use the hacked email to generate the token for the third party. I hope that makes sense.
You can decode it in many different places too How to decode jwt token in javascript without using a library? - Stack Overflow, but you need to verify it first with us if it’s valid
okay! that makes sense. I’ll figure it out! I was seriously stuck on this stupid post thing because I was trying to find the right address with a browser lol
thanks for the help
OMG THANK YOU. validate the token, decode the token if it validates to true. I got this!!
1 Like
@kandujeremy, that’s it. Just make sure you do it outside of browser so that potential attacker doesn’t intervene between validation and description and use
Yup- we’re doing it all in Lamdba (Node 18x) on AWS. No secrets to browsers!