How do i give an Http Post request Function admin access to functions it calls

tom66859 · November 28, 2024, 2:50pm

I am trying to create a wix http post function that when called has admin prevs rather than visitor prevs.

I have external Information on AWS that when updated i need to import into my Wix collection. To do this i have an App runner that allows wix to see my rds db with the info. I send a post request telling wix that it needs to grab the information which it does, it falls over because the function only has vistor previlliages rather than Admin or even member so when it tries to update the collection it fails with not authorised. i have lowered the previllages in the collection for now but this isnt a good long term solution.

The basic code lookslike this:

export function post_notifyInformation_test(request) {
// First, check if the request is authorized
return isPermitted(request.headers)
.then((isAuthorized) => {
if (!isAuthorized) {
// If not authorized, return a bad request response
return badRequest({
body: { message: “Unauthorized” },
headers: { “Content-Type”: “application/json” },
});
}
// If authorized, process the request body
return request.body.text().then((body) => {
console.log(“Been informed”);
// Call your service to process further
calledFunctionToRun()
// Return a created response if the request was successfully processed
return created();
});
})
.catch((error) => {
// Handle any errors that occurred during the authorization check or body processing
console.error(“Error during request processing:”, error);
return badRequest({
body: { message: “An error occurred while processing the request.” },
headers: { “Content-Type”: “application/json” },
});
});
}

isPermitted is a basic function that matches secret keys.

Is there a way to Authorisation and give Admin privs?

Tech_Voyager · November 28, 2024, 5:11pm

The core issue is that your Wix HTTP function, despite being triggered by an external request, is executing with visitor privileges. This limitation prevents it from performing actions that require higher privileges, such as updating a collection.

is this what you are dealing with ?

tom66859 · November 28, 2024, 5:34pm

yes, and other than elevate, i cant see any solution

Tech_Voyager · November 28, 2024, 5:52pm

While there’s no direct way to grant admin privileges to an HTTP function, here are some potential workarounds:

1. Leverage Wix’s Built-in Integrations:

Integrate with a Third-Party Service: Consider using a third-party service like Zapier or Integromat. These services can be configured to trigger actions in Wix, including updating collections.
Use Wix’s Built-in Integrations: Wix offers various integrations with services like Google Sheets, Dropbox, and more. If your external information source can be integrated with one of these services, you can leverage Wix’s built-in mechanisms to update your collections.

2. Explore Wix Code Advanced Features:

Backend Functions: While not directly granting admin privileges, backend functions can perform actions on behalf of the user who triggered them. This might be suitable for certain scenarios, especially if you can control the user who triggers the function.
Server-Side Rendering (SSR): If your use case allows, SSR can be used to render dynamic content on the server-side, potentially bypassing some client-side limitations.

3. Consider a Different Approach:

Scheduled Tasks: If your external information updates periodically, you could use Wix’s scheduled tasks to fetch and update the collection at specific intervals.
Webhooks: If your external service supports webhooks, you can configure it to send a POST request to a Wix HTTP function. This function, while still running with visitor privileges, might be able to trigger other actions, such as sending an email to an admin who can then manually update the collection.

you can try all these and if you face further issue then we can connect to resolve those problems.

tom66859 · November 29, 2024, 12:31pm

Thank you for your reply, I have resulted in changing the approach, http post now just updates a job table and then scheduled jobs takes over as a backend process. Not the most eligant but privileges are all back to normal security levels.

Jim_Dave_Tech · December 2, 2024, 1:46pm

Hello @tom66859

Create a Backend Web Module:

File: backend/secureModule.jsw

js

Copy code

import { wixData } from 'wix-data';

export async function updateCollectionWithAdminPrivileges(data) {
    return wixData.insert('yourCollectionName', data); // Replace with your collection name
}

Modify Your HTTP Function:

File: backend/http-functions.js

js

Copy code

import { updateCollectionWithAdminPrivileges } from 'backend/secureModule';

export async function post_notifyInformation_test(request) {
    const isAuthorized = request.headers['Authorization'] === 'Bearer your-secret-key';
    if (!isAuthorized) return { status: 401, body: { message: 'Unauthorized' } };

    const body = await request.body.json();
    await updateCollectionWithAdminPrivileges(body);
    return { status: 200, body: { message: 'Collection updated successfully' } };
}

Send POST Request with Authorization:

bash

Copy code

curl -X POST https://your-wix-site.com/_functions/post_notifyInformation_test \
-H "Authorization: Bearer your-secret-key" \
-H "Content-Type: application/json" \
-d '{"field1": "value1"}'

Topic		Replies	Views
Exposing a site api with http functions query Ask the community code , question	3	906	February 2, 2020
Error using http-function post() Ask the community code , wix-forum , question	5	3172	June 26, 2018
HTTP-functions security Ask the community code , wix-stores , question	12	1793	April 26, 2018
Post with http functions Ask the community code , question	4	2521	March 5, 2018
http authorization Ask the community code , question	2	91	April 22, 2021

How do i give an Http Post request Function admin access to functions it calls

1. Leverage Wix’s Built-in Integrations:

2. Explore Wix Code Advanced Features:

3. Consider a Different Approach:

Related topics