Login using API, from a mobile APP


(Kiko Lobo) #1


I am working on an iOS app for a particular discourse forum (www.movic.me).

I want the users of my app to be able to login to their account to post and read notifications.

It would also be incredible to allow new users to register or login using Facebook/twitter accounts.

Is this possible?

I have working access to the API using the API key generated in the admin. However this will give my users admin privileges.

Anything that can point me in the right direction would be great!

(Kane York) #2

You’ll need to use a “cookie jar” library and X-CSRF-Token headers instead of API keys.

(Kiko Lobo) #3


Can you explain a little more details?

Is that a plugin? or a library or HTTP headersI use on the API request?

Anything that can point me in the right direction would be great!

(Kiko Lobo) #4

I understand that I will have to hold the cookies somewhere. However how will a user obtain the X-CSRF-Token thru the API and how will he be able to sign in if he registered using Facebook for instance?

And if I am creating a new user using the API is there a way to sign him up using Facebook?

(Kane York) #5

GET /session/csrf.json

Yes - use some kind of WebView that saves to the same cookie jar you use for everything else.

I’m not going into much detail here because these are the kind of things you’ll need to figure out in order to succeed on this.

(Kiko Lobo) #6

One last question. If I am doing the app in iOS… Does the cookie jar thing still applies?

(Apparently Archetype) #7

yes. you need to store the cookies set by Discourse so that it knows who you are for each request. without the cookiejar you are a different, unauthenticated, person as far as discourse can tell every time you make a request

(Kiko Lobo) #9

Thank you for the info. really helpful!

So basically, I go to Facebook and get a token (either because the user is registering or signing up, I get an OAuth token)… I store that token locally and use that token for every request.

So basically the cookie jar is a way to store that key locally correct? Not necessarily a framework of some sort.


(Apparently Archetype) #10

That is correct. Most HTTP client libraries have such a capability built in, although it usually isn’t utilized by default.

(Prasad Chitale) #11


Just curious to know if you were able to connect your mobile app to the forum.

It will be great if you can share your experience about the same.


(Sam Saffron) #12

see: GitHub - discourse/DiscourseMobile: Discourse Mobile Notifier for an example of how this is done using user api keys.