saleor-app-sdk-REDIS_APL/docs/protected-handlers.md

# Protected API handlers

The App SDK provides helpers which ensure, that incoming requests are sent from Saleor dashboard.
Example of such situation could be a change of the application configuration iframe.

> **Warning**
> This handler only works for requests originated from frontend calls. It checks JWT token from the client, which is available
> in AppBridge. Do not call this endpoint from backend context (calling it from API function will fail)

## How to protect the endpoint

First, create handler for your business logic. The only difference from usual NextJS handler is an additional argument `ctx` of type `ProtectedHandlerContext`, which contains additional data related to the request:

```typescript
export type ProtectedHandlerContext = {
  baseUrl: string; // the URL your application is available
  authData: AuthData; // Auth Data which can be used to communicate with the Saleor API
};
```

`createProtectedHandler` will check if:

- the request has `saleor-api-url` header of the Saleor instance
- the API URL has been registered, with help of the APL
- the request has `authorization-bearer`
- the auth token is a valid JWT token created by the Saleor running on the given URL

For example purposes our endpoint will only log welcome message:

```typescript
import { createProtectedHandler, ProtectedHandlerContext } from "@saleor/app-sdk/handlers/next";
import { NextApiRequest, NextApiResponse } from "next";
import { saleorApp } from "../../../saleor-app";

export const handler = async (
  req: NextApiRequest,
  res: NextApiResponse,
  ctx: ProtectedHandlerContext
) => {
  console.log(`Greetings from ${ctx.authData.domain}`);
  res.status(200);
};

/**
 * If any of the requirements is failed, an error response will be returned.
 * Otherwise, provided handler function fill be called.
 */
export default createProtectedHandler(handler, saleorApp.apl);
```

To make your requests successfully communicate with the backend, `saleor-api-url` and `authorization-bearer` headers are required:

```typescript
fetch("/api/protected", {
  headers: {
    /**
     * Both API URL and token are available in the appBridgeState. Based on those
     * headers the backend will check if the request has enough permissions to
     * perform the action.
     */
    "saleor-api-url": saleorApiUrl,
    "authorization-bearer": token,
  },
});
```

If you want to read more about `appBridgeState`, check [App Bridge](./app-bridge.md) documentation.
Add protected handler docs (#135) 2022-12-06 17:25:56 +00:00			`# Protected API handlers`

Add note about protected handler (#182) 2023-02-20 09:50:33 +00:00			`The App SDK provides helpers which ensure, that incoming requests are sent from Saleor dashboard.`
			`Example of such situation could be a change of the application configuration iframe.`

			`> Warning`
			`> This handler only works for requests originated from frontend calls. It checks JWT token from the client, which is available`
			`> in AppBridge. Do not call this endpoint from backend context (calling it from API function will fail)`
Add protected handler docs (#135) 2022-12-06 17:25:56 +00:00
			`## How to protect the endpoint`

			First, create handler for your business logic. The only difference from usual NextJS handler is an additional argument `ctx` of type `ProtectedHandlerContext`, which contains additional data related to the request:

			```typescript
			`export type ProtectedHandlerContext = {`
			`baseUrl: string; // the URL your application is available`
			`authData: AuthData; // Auth Data which can be used to communicate with the Saleor API`
			`};`
			```

			`createProtectedHandler` will check if:

Implement APL 2.0 (#143) * Implement APL 2.0 * Rename RestAPL to SaleorCloud APL * Add mapping helper * Modify Saleor APL documentation * Update rest of the docs * Update the node version in actions * Update fetch mock * Remove node-fetch pkg * Remove console log * Update test after the rebase 2023-01-11 15:55:10 +00:00			- the request has `saleor-api-url` header of the Saleor instance
			`- the API URL has been registered, with help of the APL`
Add protected handler docs (#135) 2022-12-06 17:25:56 +00:00			- the request has `authorization-bearer`
Implement APL 2.0 (#143) * Implement APL 2.0 * Rename RestAPL to SaleorCloud APL * Add mapping helper * Modify Saleor APL documentation * Update rest of the docs * Update the node version in actions * Update fetch mock * Remove node-fetch pkg * Remove console log * Update test after the rebase 2023-01-11 15:55:10 +00:00			`- the auth token is a valid JWT token created by the Saleor running on the given URL`
Add protected handler docs (#135) 2022-12-06 17:25:56 +00:00
			`For example purposes our endpoint will only log welcome message:`

			```typescript
			`import { createProtectedHandler, ProtectedHandlerContext } from "@saleor/app-sdk/handlers/next";`
			`import { NextApiRequest, NextApiResponse } from "next";`
			`import { saleorApp } from "../../../saleor-app";`

			`export const handler = async (`
			`req: NextApiRequest,`
			`res: NextApiResponse,`
			`ctx: ProtectedHandlerContext`
			`) => {`
			console.log(`Greetings from ${ctx.authData.domain}`);
			`res.status(200);`
			`};`

			`/**`
			`* If any of the requirements is failed, an error response will be returned.`
			`* Otherwise, provided handler function fill be called.`
			`*/`
			`export default createProtectedHandler(handler, saleorApp.apl);`
			```

Implement APL 2.0 (#143) * Implement APL 2.0 * Rename RestAPL to SaleorCloud APL * Add mapping helper * Modify Saleor APL documentation * Update rest of the docs * Update the node version in actions * Update fetch mock * Remove node-fetch pkg * Remove console log * Update test after the rebase 2023-01-11 15:55:10 +00:00			To make your requests successfully communicate with the backend, `saleor-api-url` and `authorization-bearer` headers are required:
Add protected handler docs (#135) 2022-12-06 17:25:56 +00:00
			```typescript
			`fetch("/api/protected", {`
			`headers: {`
			`/**`
Implement APL 2.0 (#143) * Implement APL 2.0 * Rename RestAPL to SaleorCloud APL * Add mapping helper * Modify Saleor APL documentation * Update rest of the docs * Update the node version in actions * Update fetch mock * Remove node-fetch pkg * Remove console log * Update test after the rebase 2023-01-11 15:55:10 +00:00			`* Both API URL and token are available in the appBridgeState. Based on those`
Add protected handler docs (#135) 2022-12-06 17:25:56 +00:00			`* headers the backend will check if the request has enough permissions to`
			`* perform the action.`
			`*/`
Rename apiUrl to saleorApiUrl for consistency (#144) 2023-01-12 12:39:49 +00:00			`"saleor-api-url": saleorApiUrl,`
Add protected handler docs (#135) 2022-12-06 17:25:56 +00:00			`"authorization-bearer": token,`
			`},`
			`});`
			```

			If you want to read more about `appBridgeState`, check [App Bridge](./app-bridge.md) documentation.