Confusion about API Authenticated User

I have a question more about the security of using the API because I think I’m missing some trivial concept with my lack of experience.

I have a headless implementation of discourse to integrate into my frontend and I’ve successfully enabled sso for user authentication.

My initial understanding was that I was using SSO to authenticate as the “activeUser” to fetch activeUser-specific data from the api. I see now, that’s not entirely correct.

I see now that the data that is returned seems to be dependent on the ‘api-username’ passed into the header. But I’m using an Admin API key so I believe this means that I can fetch any user’s data that I want by passing the correct username for “api-username”.

So my question boils down to, It’s seems like the API doesn’t introduce a concept of “activeuser” and I have to adjust the active user by retrieving the username by external_id then using that as the api-username throughout the active session, is that correct?

If my understanding is correct, isn’t this easy for a hacker to just modify the api-username in the header to retrieve chat discussions for any user?

Any additional information will be appreciated to help me understand. Thanks!

Some related articles that I’ve read:

An Admin API key is the key to the kingdom

Do not put it anywhere in a frontend app. If you did, I recommend you revoke it immediately.

3 Likes

You should never use that API from a frontend because in that case this indeed is a risk (actually the risk is much higher because the hacker can do anything)

You should do this from the backend.

If that is not an option then you should use User API keys instead.

2 Likes

As a headless implementation, I will be running this from my front end. So, in this case it seems like I need spend some time trying to decipher the discussion on this topic then:

Similar to these discussions, I would be interested in auto-generating the users api-key using my admin api access However, in my flow, I wouldn’t want the user to redirect to a new page to “approve” my app. I will either want to force approval using my trusty admin api key or is there a setting that I can disable so that additional authentication is not needed for the new user-api-key that I generate?