Not getting into details but I am making a web portal which gives users a reputation on the basis of some parameters defined by us. For that, we need to fetch the summary(/u/{username}/summary.json) details. But later I realised anyone can enter any username and can hijack other’s reputation. May you suggest any optimal way where I can simply get that user’s summary only? Also, It is a web portal so I am getting cors errors too(which I kind of compensated by using a cors-anywhere server) May you suggest standard ways of discourse to handle it?
I have tried to however compensate for verifying the user problem by checking the value of user.can_edit
at /u/{username}.json
endpoint which I hope will give true iff the user is itself logged in and the username is theirs. But when trying to send that request from the server I can’t certainly attach cookies which were automatically getting included by the browser when sending the request. So it would always be false.
Also I have checked docs regarding user-api-key
generation which will send requests as that user but there are too cors problems. (Isn’t there anything like if there is a valid user-api-key
in headers then that request will send a response back?)
edit - Also one important thing, i am a non-admin, non-moderator user on that forum.