Add protected handler docs (#135)
This commit is contained in:
Krzysztof Wolski
GitHub
parent
f4bfec2b15
commit
52c31f7d30
1 changed files with 62 additions and 0 deletions
62
docs/protected-handlers.md
Normal file
62
docs/protected-handlers.md
Normal file
|
|
@ -0,0 +1,62 @@
|
|||
# Protected API handlers
|
||||
|
||||
The App SDK provides helpers which ensure, that incoming requests are send from Saleor dashboard. Example of such situation could be a change of the application configuration iframe.
|
||||
|
||||
## How to protect the endpoint
|
||||
|
||||
First, create handler for your business logic. The only difference from usual NextJS handler is an additional argument `ctx` of type `ProtectedHandlerContext`, which contains additional data related to the request:
|
||||
|
||||
```typescript
|
||||
export type ProtectedHandlerContext = {
|
||||
baseUrl: string; // the URL your application is available
|
||||
authData: AuthData; // Auth Data which can be used to communicate with the Saleor API
|
||||
};
|
||||
```
|
||||
|
||||
`createProtectedHandler` will check if:
|
||||
|
||||
- the request has `saleor-domain` header
|
||||
- the domain has been registered, with help of the APL
|
||||
- the request has `authorization-bearer`
|
||||
- the auth token is a valid JWT token created by the Saleor running on the given domain
|
||||
|
||||
For example purposes our endpoint will only log welcome message:
|
||||
|
||||
```typescript
|
||||
import { createProtectedHandler, ProtectedHandlerContext } from "@saleor/app-sdk/handlers/next";
|
||||
import { NextApiRequest, NextApiResponse } from "next";
|
||||
import { saleorApp } from "../../../saleor-app";
|
||||
|
||||
export const handler = async (
|
||||
req: NextApiRequest,
|
||||
res: NextApiResponse,
|
||||
ctx: ProtectedHandlerContext
|
||||
) => {
|
||||
console.log(`Greetings from ${ctx.authData.domain}`);
|
||||
res.status(200);
|
||||
};
|
||||
|
||||
/**
|
||||
* If any of the requirements is failed, an error response will be returned.
|
||||
* Otherwise, provided handler function fill be called.
|
||||
*/
|
||||
export default createProtectedHandler(handler, saleorApp.apl);
|
||||
```
|
||||
|
||||
To make your requests successfully communicate with the backend, `saleor-domain` and `authorization-bearer` headers are required:
|
||||
|
||||
```typescript
|
||||
fetch("/api/protected", {
|
||||
headers: {
|
||||
/**
|
||||
* Both domain and token are available in the appBridgeState. Based on those
|
||||
* headers the backend will check if the request has enough permissions to
|
||||
* perform the action.
|
||||
*/
|
||||
"saleor-domain": domain,
|
||||
"authorization-bearer": token,
|
||||
},
|
||||
});
|
||||
```
|
||||
|
||||
If you want to read more about `appBridgeState`, check [App Bridge](./app-bridge.md) documentation.
|
||||
Loading…
Reference in a new issue