How to authenticate user whenever a data queried or submitted from ios app

Ask the community
, ,
1

Dear Developers,
We have found this security gap and would like to know if there is anyway it can be addressed.
All we want is authenticate wix member on each data query/submission on ios app.

Our members are wix registered members who once buy a plan will login to IOS app to respective plan interface and submit related data.

Attaching business flow which we designed for one of our esteem client

564×644 70.7 KB

Authentication and data submission api used for first time login in ios app>
http-functions.js

import wixData from ‘wix-data’;
import wixUsers from ‘wix-users-backend’;
import { created, badRequest, forbidden, get, notFound, ok, response, use, serverError } from ‘wix-http-functions’;

//URL
//https://lioonnize.wixsite.com/cfa-jun/_functions-dev/apiForTokenForLogIn?userName=*****@gmail.com&password=*****

export function get_apiForTokenForLogIn(request) {
let userName = String(request.query.userName);
let usersPassword = String(request.query.password);
return wixUsers.login(userName, usersPassword)
.then((sessionToken) => {
let successReturnValueObject = {
headers: {
“Content-Type”: “application/json”
},
body: {
“sessionToken”: sessionToken,
// this is an estimated amount could be 120 secs
“expiry”: “90.0”,
}
};
return ok(successReturnValueObject);
})
.catch((error) => {
let errorMessage = “could not access session token for user, since failed authentication.”;
console.log(errorMessage);
let failedReturnValueObject = {
headers: {
“Content-Type”: “application/json”
},
body: {
“errorMessage”: errorMessage,
“error”: String(error),
“userName”: userName
}
};
return badRequest(failedReturnValueObject);
});
} // End of ‘get_apiForTokenForLogIn’ Function

//https://lioonnize.wixsite.com/cfa-jun/_functions-dev/clientdatainsert
export function post_clientdatainsert(request) {
let options = {
“headers”: {
“Content-Type”: “application/json”
}
};
// get the request body
return request.body.text()
.then( (body) => {
// insert the item in a collection
return wixData.insert(“WaveClientData”, JSON.parse(body));
} )
.then( (results) => {
options.body = {
“inserted”: results
};
return created(options);
} )
// something went wrong
.catch( (error) => {
options.body = {
“error”: error
};
return serverError(options);
} );
}

2

any inputs…

3

In your function apiForTokenForLogIn() you register the user to become a site member and then return a session token. If you save this token in a collection then you could validate it on each call to the function clientdatainsert().
You should note that http functions are not supported for site members session handling so this is really a work-around.

The thread Site API Http-functions with User Authentication . should be able to help you. However, I can’t guarantee that this will work exactly as you need.

4

Thanx so much Yisrael

We will try it. However you have pointed that https functions are not supported, can you pls guide us which is best way to ensure this authentication is compliant with IOS app and wix.

Its a big release for us and we want to ensure we are compliant.

regards
sneha shah