How are you passing Intersystems credentials to your REST API apps, i.e. axios
Hi:
I see a lot of cool REST apps and i'm trying to host something in the TIE using REST/Axios with VITE.
At the moment i will probably host the application in web applications in Intersytems.
For authorisation and getting the logged in user and password to any app, is there a standard people are doing?
I.e. for axios you might have this from the app
auth: {
username: apiUser,
password: apiPass
}But surely you want to pass through credentials from the IRIS logged in user, or alternatively pass the credential request to IRIS API to first receive the data. How is this done in any of the projects you have done? I for note don't remember it covered in the coffeemaker app i did a long time ago
Comments
Add password auth as Allowed Authentication Method on Web App configuration page.
Also referred to as instance authentication in the documentation.
I dont understand. Password and ldap is allowed so yes it works; but thats with a hard coded user how can it use iris logged in user?
Can you elaborate please? What do you want to do?
Agreed. I think I now understand you don't need to know how to authenticate a user. Do you want to (after initial authentication) pass those authentication credentials to another app?
I don't really understand the best practices on building the IRIS REST apps and passing authentication through.
I.e. do people just tend to authenticate the CSP page it goes to and that is fine .
Or after the authentication method do they tend to use that same user logged in to make the API call?
i.e. (although should be in .env) do rest apps tend to look for if iris is authenticated or should it just use a set up user and pass to make the API call?
Yes you absolutely don't want to hard code those in the code. You have two options:
1) have a login form which will ask for those and save them in either local variables (will have to enter login password after each page refresh) or local storage (not secure because password is available in plain text). You can try some silly endpoint like _ping to check if it returns 200 or 403 to check if credentials are valid.
2) use web sessions and store session information in cookies. Here you can use usual iris login page to authenticate, but it's not rest best practices because use of session is discouraged
Or 3) set up and implement jwt authentication as described in documentation https://docs.intersystems.com/iris20242/csp/docbook/DocBook.UI.Page.cls…
I'd say from my experience, best for security and production use is 3, most people implement 2, and 1 is only good for prototyping/experiments because it's not secure
Thanks although not going into technical too much I think this was the info I wanted. And there is a useful link for jwt down this route. https://community.intersystems.com/post/creating-rest-api-jwt-authentic…