How to get current user?


(Abhishek Gupta) #1

how do it get the current user?

Like, is there a cookie with his session id/Username or something like that i can use to get his info from /users/username.json ? or if i can directly get it via ajax?

I need to submit a form, ONLY when the user is Logged in on discourse.

Or can i get user’s password via ajax? , this way i can ask user to enter pass for his forum account and then check it against the password, I get from discourse.


Issue with API Endpoint /session/current
Passing back variables to Survey Gizmo
(Robin Ward) #2

Every time Discourse loads, there is a JSON object in the body containing the current user. Via Javascript you can get it with Discourse.User.current(). If you want the current user’s name, you can do Discourse.User.currentProp('username').

If the user is not logged in, you will get null back.

No this would be very insecure. We don’t store plain text passwords or have any way to retrieve any kind of hashed password via API.


(Allen - Watchman Monitoring) #3

I’m looking to identify our logged in visitors along with other tools we’ve got in place (olark and such)

Would it be possible to have a user’s email available via Discourse.User.currentEmail?


How to get current user.email via javascript?
(Abhishek Gupta) #4

I dont really get it. Can you please add an example ajax GET call to get the current username? . Can i use getJson ?


(Robin Ward) #5

If you are trying to get the user’s name from a plugin for Discourse or inside discourse, you can just type: Discourse.User.currentProp('username')

If you are trying to somehow get the user via AJAX from ANOTHER site or app, that is cross domain and a security violation. Some people who need this feature have enabled CORS, but a better solution would be for your second ap to make the JSON call on the server side and expose it to your client app.


(Abhishek Gupta) #6

Yup, that is the question, i want to get it from a different domain, i have enabled CORS so worries there. How do i make the ajax call? an example would be awsome.


(Robin Ward) #7

There is no current API endpoint to get the current user, you need to know their username in advance.

We could add it, but it seems to me that’s dangerous from a security point of view - if you enable CORS, it means any other site on the internet could just check who you are on a particular discourse forum. I would say your identity on another site should be private to other sites.

I would suggest implementing your solution in another way.


(Abhishek Gupta) #8

I have allowed access via only a single domain, like if my discourse instance is at forums.awake-gaming.com
, and my other Js application at awake-gaming.com , i would allow access to forums.awake-gaming.com via awake-gaming.com only. It can be set up in nginx config .

As though for the time being, to implemnet another way, this is my problem in brief:

If have my visitor enter a username on a HTML form. how can i ensure that he owns the account corresponding to that username in my discourse instance?,@eviltrout It would awesome if you could suggest any other way. Thanks in advance!


(Johan Jatko) #9

Generally most forum software have enabled(either via mods or plugins) ways to use the login session outside of the forum area to authenticate users. I believe this is what he’s asking for(and I am curious myself).


(Jeff Atwood) #10

Lots of topics here about single sign on (SSO). Try the login category, extensibility category, etc.

It’s an area we worked heavily on. @sam can you clarify where the best current reference is? I found bits and pieces around, but maybe we need a blessed FAQ.


(Abhishek Gupta) #11

Yup[, somwhat similar, i just need to check if user is loggin or not, i dont want to authenticate him in discourse from external source, i need to know whether he is logged in or not!.


Btw, hai @ArmedGuy, nice to see ya! zapper, here from awake forums


Pull user and password for custom app auth
(Robin Ward) #12

I’ve added a /session/current API endpoint to retrieve the current user. This saves you having to download the document and scrape it out of the preload store.

https://github.com/discourse/discourse/commit/1dac3cfd64d73eb09be47f0c59c8b592b4b27389

An example way to call this would be:

$.ajax("/session/current").then(function (json) { 
  console.log(json.current_user.username); 
})

Be very careful if you are going to allow support for this endpoint via CORS, as if you mess up the permissions you could allow other sites to figure out the usernames/ids for currently logged in discourse users.


How to get current user's session id?
Hello World plugin
(Abhishek Gupta) #13

EDIT : I just tried it out, got an error

Uncaught TypeError: Cannot read property ‘username’ of undefined

For security purpose, can you add Check for Master API key? .
So that a similar ajax would become:

 $.ajax({
type: 'GET',
url: 'http://domain.com/session/current',
dataType: 'json',
data: {
'api_key': 'XXXXXXXXXXXXXXXXXXXXXXX',
},
success: function(json){
   console.log(json.current_user.username); 
}
});

Also as far as that CORS thing is seen as security threat, it is not at all reliable, i know that my opinion was different before but then this came to my notice

So requiring Master API key would be awesome. Thanks!


(Robin Ward) #14

All calls on the Discourse site support API keys already. However, don’t do this. If you put the master key in client side javascript, anyone who views your code can do anything on your discourse forum. Only use the api_keys server side.


(Johan Jatko) #15

API key wouldn’t add security for client-side code, because /session/current data is based on the logged in user’s session.(Obviously)

As for CORS, it is NOT insecure(that plugin isn’t really an attack vector at all) as long as you’re not lazy and use * instead of specific domains in the header.

And Hello. =)


(Abhishek Gupta) #16

BUMP

This Returns a HTML Doc , not a json object… Fix please


(Robin Ward) #17

I just tried it in a console and it works fine. It’s possible your ajax call is not requesting the JSON mime type and getting back HTML instead. To be doubly sure, you can add .json to the path. But it’s a good idea to explicitly request JSON.


#18

For some reason I am getting a 404 Not found when trying to receive the current user data over an ajax call from another domain. I setup all the CORS settings according to How to enable Cross-origin Resource Sharing with docker, rebuilt the app etc. (Before setting this up properly, the ajax failed with an error message complaining of the lack of CORS headers)

Visiting the json file directly in the browser, or fetching via ajax from a console in the domain itself, everything returns correctly, but for some reason trying to fetch it via an ajax call from an alternate domain always returns a 404 not found, any ideas what I’m doing wrong?

I am following the ajax call as above (of course with the correct URL when testing):

Looking in developer tools, I see the CORS headers are set:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:*

(only set to * for now for debugging)


(Robin Ward) #19

Are you sending cookies with the request? To get the current user cookies are required. see: withCredentials


#20

Ah perfect, thank you!

Just in case it helps anyone out, you can’t use a wildcard when using withCredentials:

A wildcard ‘*’ cannot be used in the ‘Access-Control-Allow-Origin’ header when the credentials flag is true.

Specifying the precise domain, this is working now.