Back

[SOLVED] Auth login in server side

  • 0
  • Databases
  • REST API
Mosh Ontong
1 Jan, 2024, 11:54

alright then I let you know after I test this

TL;DR
The thread discusses the possibility of using server-side authentication in an Appwrite API. It is mentioned that server-side SDKs can be used to bypass security checks with API key scopes, while client-side SDKs have rate limits and require authentication. The main difference between client-side and server-side authentication is the level of security and manipulation. JWTs are mentioned as a method for authentication, generated on the client-side and passed to the server-side. The thread ends with a user planning to test Postman's ability to handle user cookies.
Mosh Ontong
1 Jan, 2024, 11:55

but the question is how can the postman handle the user cookies?

ideclon
1 Jan, 2024, 11:58

Been a while since I used Postman (since they implemented that whole cloud sync thing), but I’ve created Appwrite sessions direct with curl, and with other, similar tools. The /account/sessions/email endpoint will return Set-Cookie headers. You can just copy these into the request (I think Postman can handle the cookies automatically, too?)

D5
1 Jan, 2024, 12:15

I don't understand at all the context. JWT is generated server sided and sent client side to perform operations during 15 minutes. You can use it server sided to work as the user with the same permissions the user has rather than performing your own checks with a function for example.

If the main doubt is generating it server sided to use it server sided, then I don't understand what's the main use case for this 🤔

ideclon
1 Jan, 2024, 12:20

JWTs (in Appwrite, at least) are generally generated on the client side, then passed to the server side.

In this post, JWTs are just the original assumption of a method to reach the desired outcome - which was to make calls to Appwrite (as a User) from Postman.

D5
1 Jan, 2024, 12:23

Okay, I understand now

D5
1 Jan, 2024, 12:24

Basically it's possible to do the cookies approach as you said, main advantage is that they will not need to be renewed every 15 min

Mosh Ontong
1 Jan, 2024, 12:25

thank you for explaining my desired outcome <:appwritepeepo:1156975874852270110>

ideclon
1 Jan, 2024, 12:26

Well, also, you can actually replicate what’s really happening with your regular SDK requests (which I would expect is generally the point of creating requests in Postman)

Mosh Ontong
1 Jan, 2024, 12:26

[SOLVED] Auth login in server side

D5
1 Jan, 2024, 12:28

I'm double checking this. JWT generally needs to have some kind of authorisation from the server before being generated or being generated directly in the server 🤔

ideclon
1 Jan, 2024, 12:30

Well, what makes something client side vs server side? In the case of Appwrite, it literally just means are you sending a cookie, an API key or a JWT as authorisation

D5
1 Jan, 2024, 12:31

Server side is harder to be manipulated

D5
1 Jan, 2024, 12:31

That's the main difference

ideclon
1 Jan, 2024, 12:32

Why? What makes the server API any different from the client API? It’s really even the same API, just with different auth credentials!

D5
1 Jan, 2024, 12:37

Yes, I mean, server side SDK is basically limitless, it doesn't have rate limits since it's supposedly in a secure/controlled environment, meanwhile client side have rate limits to prevent abuse and needs authentication to access a specific resource meanwhile server side bypasses security checks with the API key scopes

Main issue on using client server sided is that it can hit rate limits since it will probably use the same IP address to perform the requests

ideclon
1 Jan, 2024, 12:39

But there’s nothing stopping you from using a Server SDK client-side, or a Client SDK server-side

ideclon
1 Jan, 2024, 12:39

Yes, the IP rate limits might be an issue

D5
1 Jan, 2024, 12:59

Well, using server side on untrusted client I think it will not be a good idea

D5
1 Jan, 2024, 13:00

But yes, you can

ideclon
1 Jan, 2024, 13:06

Oh, absolutely - most of the time. Do remember that API keys can be scoped

D5
1 Jan, 2024, 13:07

But it will give you access to for example the entire database

ideclon
1 Jan, 2024, 13:07

But my point here was simply that yes, you can call all the REST APIs you like in Postman

ideclon
1 Jan, 2024, 13:08

Only if you give the key database.read permissions. And that may be absolutely fine, in some use cases.

D5
1 Jan, 2024, 13:08

Yes, depends on the use case

Reply

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more