API use in external sites

[amitdangwal]

Hi Team, I was searching for webservice for joomla and landed here. I have tried your plugin and it is working with the demo users plugin. I have requirement to allow external web applications(a wordpress site) to access my joomla system for some specific data. Earlier wordpress site used to have a iframe which points to my joomla page but now we want to move to webservice layer so that wordpress can fetch data using your webservice plugin from my joomla(com_api will be installed in joomla and a user key will be created).

I was reading tickets, documentation, issues mentioned by other users so as to gather more information. I came to know about issue: Token issue #27 https://github.com/techjoomla/com_api/issues/27

Now since the webservices will be called by a browser dependent client application (wordpress site) then does it mean the user(whosoever) opened the browser page of wordpress site(which makes call com_api the wordpress template or functions.php file) will be automaticly gets logged in joomla system too ? i.e wohosoever the user is, if opens my site www.xyzjoomla.com will be automaticly logged in joomla (using the user key I created) ? Is this correct ? I donot want any person browsing wordpress site gets logged in joomla system as they are not supposed to access joomla.

Please confirm if this is the behaviour and in such case do I need to modify authentication.php file? https://github.com/techjoomla/com_api/blob/master/code/site/libraries/authentication.php

Thanks, Amit

[coolbung]

If you're making the API call from the client-side eg: using an AJAX call, then the user (for whom the token is created) will indeed get logged in. However this means that you will be exposing the token to public, I don't think you'd want to do that.

However, if the API call is being made via PHP (eg: using CURL or wordpress' methods) then the user won't get logged in to Joomla.

[amitdangwal]

Thank you for the update. I am exploring the plugin by adding resources I need. It is really looking a good plugin to me. I have yet to test it with wordpress. I will be using it in wordpress php and not in ajax so as to avoid the auto-login issue.

One more thing I want to ask. Do I need to handle CORS or if this plugin(com_api) addresses it ? Wordpress site in on different domain.

I see there is a domain field in screen option=com_api&view=key&layout=edit&id=1 what does this field do ? is it for CORS ?

in this field I added a domain value as xyz.com and then tried calling webservice(running on localhost) using the key with domain as xyz.com. The API(running at localhost/joomla/site) returned data even if api key domain value is different(xyz.com).

So in summary I have question

1. DO I need to add any handling for CORS or it is handled in the plugin.
2. What is domain field in while we create API key.

I could not find any thing related to these in documentation.

Sincere thank you for your time and effort.

[coolbung]

My replies inline

1. DO I need to add any handling for CORS or it is handled in the plugin.

If you are calling the APIs via PHP, then you don't need to worry about CORS.

2. What is domain field in while we create API key.

That field is not functional, and will be removed in a future version. It is not related to CORS. We are working on CORS support for com_api which will let you which domains are allowed for CORS.