Open tmdoit opened 3 years ago
Nikhil-Nandagopal
commented
3 years ago Hey @tmdoit 👋 , Thank you for the feature request! I have a couple of questions here. From what I could understand, Authelia will return the headers in the api/verify call so are these headers meant to be sent with all successive API calls from appsmith to your backend? In this case, are you unable to read the response from the api/verify call and simply add them to the headers?
tmdoit
commented
3 years ago I want to read headers to control access to appsmith app resources as was explained in this video. To do that I need to access passed headers from proxy, the best way I think is as I said earlier, via js object: {{appsmith.request.headers}}.
I created diagram to better illustrate the problem which I'm trying to solve.
Nikhil-Nandagopal
commented
3 years ago @tmdoit so that is where I see the confusion because {{appsmith.request.headers}} is a client-side replacement. So at this time, the client will not have these headers that the proxy replaces unless the API call returns the headers back to the client
tmdoit
commented
3 years ago Thanks for clarifying this, what about cookies? as I can see cookies are not available via this object.
Authelia seems great solution because authentication, token validation and authorization (based on url resources) happens outside of Appsmith and what I'm trying to solve could be done via Authelia but UX will be bad because when user clicks on tab "Reports", he will be redirected with an error outside of Appsmith. That's why I'm looking for a solution to hide tabs from unprivileged users.
18sby
commented
8 months ago Nikhil-Nandagopal
commented
8 months ago Hi @18sby 👋 Would love to hear your use case
18sby
commented
8 months ago Hi @18sby 👋 Would love to hear your use case
I'm glad to receive your reply
Firstly, I need to clarify that my self-developed application is cookie authentication, with the key being bv_session.
In my self-developed application, I embedded the application developed by AppSmith using iframe. My application is under the same secondary domain as the one developed by AppSmith.(.bluemediagroup.cn)
I have added an HTTP API (new blank API) to the application developed by AppSmith. The domain name of the API is the same as my self-developed application, and it requires authentication, which means requesting a cookie in the header.
But what I have observed is that in the application developed by AppSmith, it seems that the execute API is executed first, and then the execute API executes the HTTP API I added. My HTTP API did not receive the bv_session cookie on the execute API.
Summary
I would like to see possibility to access request headers like:
{{appsmith.request.headers}}Motivation
Authelia (authentication server) set headers on proxy level about user auth status (Remote-Users,Remote-Groups) which I want to read on appsmith and control user access to resources. More details here how it "integrates" to appsmith.
Additional Context
My need for now is related to request headers but I think that making available information like cookies from request data could be useful too.