Skip to main content
Answer

Authenticate a specific user against a plugin / verify user in plugin context

  • May 12, 2023
  • 2 replies
  • 252 views
T
Forum|alt.badge.img+1

I would like to know if I can have front to authenticate a user against a front plugin. The plugin does receive an auth_secret but it is a global value and can easily be traced in the http inspector.

  1. Is there an option to have an auth_secret per user that only that user can see?
  1. How secure is the `tea_XXXX` id I can find in `context.teammate.id`. I think that these don’t seem to be not visible / guessable on the front end?

Basically, how sure can I be that in the context that my plugin receives, the teammate is actually the currently logged in front teammate and that the context has not been tampered with?

 

Thanks,

Tilmann

Best answer by jason

Hi,

I’ll start with the Teammate ID - this is not necessarily a secret/secure field; each Teammate has their own tea_… ID which is accessible via the API. It’s only possible to guess a Teammate’s ID if you can log in to Front as that teammate; as an outsider, you wouldn’t be able to determine the ID of a teammate in another Front account. 

The Auth secrets are generated per-plugin, so for all teammates using the same plugin, the auth secret will be the same for all of them. The auth secret itself is exposed only in your Developer > Plugin settings, so only your Front admins can access this field. You may want to consider setting a Content Security Policy on your application to ensure it is only accessible via requests issued from Front, and perform server-side validation on the auth_secret to prevent exposing your auth_secret to the client-side. 

I hope this is helpful!

2 replies

jason
Forum|alt.badge.img+8
  • jason
  • Fronteer
  • Answer
  • May 12, 2023

Hi,

I’ll start with the Teammate ID - this is not necessarily a secret/secure field; each Teammate has their own tea_… ID which is accessible via the API. It’s only possible to guess a Teammate’s ID if you can log in to Front as that teammate; as an outsider, you wouldn’t be able to determine the ID of a teammate in another Front account. 

The Auth secrets are generated per-plugin, so for all teammates using the same plugin, the auth secret will be the same for all of them. The auth secret itself is exposed only in your Developer > Plugin settings, so only your Front admins can access this field. You may want to consider setting a Content Security Policy on your application to ensure it is only accessible via requests issued from Front, and perform server-side validation on the auth_secret to prevent exposing your auth_secret to the client-side. 

I hope this is helpful!

kvishwambar
Forum|alt.badge.img
  • kvishwambar
  • Conversationalist
  • November 1, 2023

Hi,
 

Could you please guide me on how I can access this Teammate ID in my plugin code? I'm interested in using this information to ensure that actions within my plugin are associated with the currently logged-in Front teammate.
 

Any code examples or documentation links related to accessing the Teammate ID via the Front plugin would be greatly appreciated.
 

Thank you in advance for your assistance!
 

Best regards,
Karthik

M
Terms & ConditionsCookie settingsAccessibility statement