Validate user token on REST API

REST
1

Scenario

I have users accessing a data table using an API built in NodeJS that accesses Backendless using the REST key. The users should be able to modify any entry on the table, but their access is restricted through the NodeJS API.

Including the user-token as a header appears to force the user to only update their own items (items matching their ownerId).

I’d like to be able to validate their user-token without including it in the POST/PUT calls. Is this possible?

UPDATE: Adding some clarity. I’d like to run this like a CRUD table where users can update data. Even if I set the permissions like so:

image
image700×534 28.6 KB

including the user-token forces me to enable the CRUD functions in the Owner Policy
image

Which then somehow enables the other SDK keys (specifically the javascript one) to work. I want to force the user to go through my NodeJS API key so I can control which columns get updated and how the data gets parsed.

So overall, I want to:
Verify the user is logged in
Allow them to make CRUD operations on a table through REST only

2

User token is sent with API call not for validation purposes, but to identify the user and consequently their roles. If user token is not sent, the API request will be treated as one coming from a non authenticated user.

Furthermore to this:

This depends on the actual security configuration of your data tables. Have you specifically configured it to enable owner policy?

Regards,
Mark

3

Thanks for the reply Mark. Just posted a clarifying update on my original post.

From your response, it seems like the only way for the table to know a user is logged in is using the user-token which then enables owner policy. Is that the case?

I’d like to be able to confirm the user is logged in, but not have the owner policy kick in. That sounds like i’ll actually need to set the permissions to be unauthenticated + REST.

Perhaps what i’m looking for is the ability in my NodeJS API such as:

let isTokenValid = fetch('..backendless../validate-token/123-456-789')

if(!isTokenValid) {return "please log in"}

// ... continue on with the rest of the API
4

Owner policy is not enabled by default, it requires explicit configuration. To know that user’s session is valid, you can make a call to validate user token. Again, a user token is sent to the server not only with the purpose to validate that the user is logged in, but more importantly to know what roles and permissions user has.

The API your inquired about is available in our js sdk, which can be used in node:
https://backendless.com/docs/js/users_login.html#validating-user-login

Regards,
Mark