Logging into EE using API calls
Developer Preview
Hi there,
I’m currently working on an OSX app that makes HTTP requests to EE in order to manage EE data.
I have an add-on that handles specific HTTP requests (using URLs like /system/index.php?/cp/addons/settings/my_addon/list_all), but to have access to that URL, the app needs to automatically login to EE first.
For now, the app is just getting the CP login page, picking out the form action URL and csrf_token hidden field from HTML and try to login using that data. After that it checks cookies and redirection URL for a session ID and use that later to do API calls to an add-on.
But it’s hacky, and I had bugs with redirection after logging in or when logging in fails. Plus it needs to be compatible with EE2 and I remember that EE2 had some URL changes around 2.8 if my memory is correct.
I was wondering if I could create an add-on that could simplify that by offering API endpoints :
GET /my_addon/tkn to retrieve a CSRF token
POST /my_addon/login to actually try to login by sending a csrf token data, username and password;
GET /my_addon/logout to logout from the site
What would be the best way to do that ? I think my question is more, how can I do that the safest way possible ? I don’t want to create a security whole, it’s my biggest concern.
Thanks !
Is the only reason you need to login so that you can access your add-on URL? If so, could you achieve what you need to do with action requests?
By action requests, you mean ?ACT=xx urls, right ?
I can’t do that, because actions ids will not be the same on each EE install, I believe the action id is auto generated.
Yes, those ACT URLs. If you’re not giving the app the endpoint URL, is the idea you’ll point your app to a domain and it’ll magically figure it out? How can it guess the control panel URL for a given site?
My app is asking for the CP URL, login and password and that’s it. 😊
Ah ok. Is the CP URL used for anything else other than to point to your API backend? If not, could you just have them put in the ACT URL like folks do when they want to use the Metaweblog API in something like MarsEdit? I’m just trying to understand the motivation for the more complicated approach.
I use the CP URL only for API calls, nothing else.
I just want it to be really easy for the user to use. To me, having to enter only CP URL, login and password is the simplest I could do. Then the app would just have to login and the app would know each API URLs.
I just realized that an ACT URL would be ok. It would be the main entry point to the API. mywebsite.com/?ACT=42&action=login mywebsite.com/?ACT=42&action=get_list Or maybe POST queries ?
Sure, GET or POST should be fine.
Did you try the webservice module Louis?
https://devot-ee.com/add-ons/webservice
Perhaps this can help you with manage your EE data.
let me know if you have any question about it.
Best, Rein