Back
Validate and remove on backend using Admin Client / API key
Hey all,
I am a little confused about the correct workflow. I am using .NET (Appwrite v1.7.4, latest working official .net sdk library). I understand there are client and server endpoints (using session secret or api key). However trying to validate the session (based on the received session secret) does only work using the Client endpoint ("Account", auth with session secret)? The problem is that this endpoint is rate limited and my application is supposed to handle everything from the backend.
Am I missing something? Currently my workflow is like this
TypeScript
// Create / login by mail
var accountService = new Account(appwriteAdminClient.Client);
var token = await accountService.CreateEmailToken(ID.Unique(), request.UserEmail);
// Authenticate by mail received
var accountService = new Account(appwriteAdminClient.Client);
var session = await accountService.CreateSession(request.UserId, request.Secret); // Use mail OTP
// On API calls check session validity
appwriteSessionClient.Client.SetSession(sessionSecret.ToString());
var accountService = new Account(appwriteSessionClient.Client);
var user = await accountService.Get();
The appwriteSessionClient is newly instantiated whenever used, the appwriteAdminClient is a re-used singleton instance.
TL;DR
Developers are confused about validating sessions using the Admin Client/API key in Appwrite .NET SDK. They are currently using the Client endpoint which is rate-limited. To handle everything from the backend, they should use the JWT library to decode the session. This will allow them to validate and remove the session properly.