I would like to know if I can have front to authenticate a user against a front plugin. The plugin does receive an auth_secret but it is a global value and can easily be traced in the http inspector.
- Is there an option to have an auth_secret per user that only that user can see?
- How secure is the `tea_XXXX` id I can find in `context.teammate.id`. I think that these don’t seem to be not visible / guessable on the front end?
Basically, how sure can I be that in the context that my plugin receives, the teammate is actually the currently logged in front teammate and that the context has not been tampered with?
Best answer by jasonView original
I’ll start with the Teammate ID - this is not necessarily a secret/secure field; each Teammate has their own
tea_…ID which is accessible via the API. It’s only possible to guess a Teammate’s ID if you can log in to Front as that teammate; as an outsider, you wouldn’t be able to determine the ID of a teammate in another Front account.
The Auth secrets are generated per-plugin, so for all teammates using the same plugin, the auth secret will be the same for all of them. The auth secret itself is exposed only in your Developer > Plugin settings, so only your Front admins can access this field. You may want to consider setting a Content Security Policy on your application to ensure it is only accessible via requests issued from Front, and perform server-side validation on the auth_secret to prevent exposing your auth_secret to the client-side.
I hope this is helpful!