I need a URL that will return 200 for a logged in user and 401 or 403 if the user is not logged in.
If require_login is checked, every page does a 301 to the login page.
Is this a user request, i.e. using the current users session?
Or…
Is this an admin API request using an admin API key?
Yeah. It’s me not understanding the question I’m asking.
I’m trying to do an auth_request in NGINX to tell whether the request is coming from a user that’s logged in by querying an URL to see whether it gets a 200 response or not.
It’s occurring to me that doing that is not quite as simple as I’d hoped.
You could try /session/current.json
It will return 200 if authenticated and 404 if not.
Generally .json / API requests don’t redirect.
That seems promising. I’ll keep poking at it.
Many thanks!
Is there an easy way to do this from a different subdomain?
Example, the forum is at forum.example.com and the request is coming from example.com (either from the frontend or backend code).
Sure. You can make an API call from anywhere.
But this specific call needs to be done from the frontend, since it will use the session cookies sent by the browser to the forum.
The Discourse session cookie appears to be just for the subdomain, so would the cookie be accessible from the top-level domain? I see _forum_session on the Discourse subdomain but it doesn’t appear when visiting the TLD.
If the cookie were available on the top-level domain, I was thinking that it would also be passed to the backend, so the backend could forward it to Discourse, but I’m not sure.
Maybe it requires using Discourse as an SSO provider? If it isn’t known whether the user is logged in, then we could redirect through the SSO process to check. I’m currently setting it up on a test server to see if it would work.
Edit: my end goal is to generate a JWT with the user data from Discourse (only if logged in to Discourse) and pass it to Firebase. There is a Discourse server on the subdomain, an extra backend server that can perform additional logic, and an SPA that connects to Firebase if given a JWT.
If you want anything fancy like this you would need to implement your own CurrentUserProvider
Thanks, I just looked it up and found this other thread, so I’ll ask some more questions about it over there.
Edit: it looks like we can do what we need with Discourse as an SSO provider.
If you can do it with SSO I highly recommend you go that path vs a provider
Thanks, it looks like we can check if a user is logged in and then redirect through Discourse’s SSO route if not logged in. It seems to work well on my laptop. The user logout webhook from Discourse can then log them out of the other app.
能否请您简单解释一下,我们如何检查用户是否已从另一个子域名登录到 Discourse?我正在尝试在我的路由处理器(服务器端)中实现一个认证中间件,以检查用户的 Discourse SSO 登录状态是否仍然有效。
我试图为 Web 应用实现几乎相同的功能,但无法弄清楚如何检查用户是否仍然保持登录状态。(最好是检查当前用于向服务器发送请求的同一浏览器中的登录状态)
谢谢!
我相关的代码尚未上线,但如果用户通过另一台服务器(以 Discourse 作为 SSO 提供商)进行重定向,那么该外部服务器上就会存在会话。我在那里创建了一个类似 /auth/is-authenticated 的路由,用于返回用户的登录状态。它的主要作用是在用户已登录时隐藏“登录”按钮。当用户从 Discourse 注销时,我认为会通过 webhook 使其在另一台服务器上也同时注销。我有一段时间没检查代码了,但印象中我是这样配置的。
外部服务器如何检查用户的浏览器是否仍登录在 Discourse 中?我认为另一个域名甚至无法访问 Discourse 登录后设置的 Cookie。
我的目标是:仅当用户通过当前活动的浏览器从 Discourse 登出时,让外部(非 Discourse)服务器也将该用户登出。(这甚至可行吗?)
感谢您的回复。
当用户在外部应用时,点击登录按钮,会通过 Discourse 的 SSO 提供商流程进行路由,然后返回外部应用。该外部应用可以存储包含用户数据的会话。当用户从 Discourse 注销时,Webhook 可以删除外部应用的会话。我不太确定,但我想 Webhook 的头部是 X-Discourse-Event: user_logged_out。
编辑:从外部站点注销是通过 Discourse API 完成的。
与其询问 Discourse 用户是否已登录,不如直接询问外部应用。在我的情况下,这仅用于在外部站点中移除登录按钮等操作。
我稍后可以再次检查我的代码。我有一段时间没看过它了,但我认为它确实做了类似的事情。
谢谢您的回复!非常感激。
是的,我现在明白了。通过 API 登出的唯一问题是,用户将从所有会话中登出(在所有设备上——因为 API 无法区分当前浏览器的会话和其他已登录的浏览器)。