V8-archive: Should `auth/authenticate` endpoint return user data as well as the token?
Feature Request - Where it came from?
Somehow new tokens take some time to become available.
My mobile app logs the user in via auth/authenticate endpoint. Token is returned successfully. Then app tries to get the user data via users/me right after the token response. But API says item not found with status code 404. Then I re-called getting user after the failing attempt and it works.
What problem does this feature solve?
Returning user data with the token is the most basic and swifty way. But I do not know if you have security concerns on this.
anelad
All 10 comments
@rijkvanzanten — thoughts?
benhaynes
on 22 Nov 2019
Are you awaiting the login request to be done before trying to use the token? I don't know about swift in particular, but in JavaScript it's the difference between:
client.login();
client.getMe(); // fails, cause login hasn't finished yet
// vs -------
await client.login();
client.getMe(); // now it works, cause login is fully done
rijkvanzanten
on 22 Nov 2019
Which is what my code is doing @rijkvanzanten . But another thing came to my mind. Will check it.
On the other hand, even if I can fix my issue, I still think that returning user data with the token is a better thing if there is no security concerns. What you say?
anelad
on 22 Nov 2019
And yes, my issue is a Subject. Even I make everything as you said @rijkvanzanten, I missed the subject subscription. It's value is changed before the code can persist the token and it gets null value from the storage.
We can remove the 'bug' label @benhaynes
anelad
on 22 Nov 2019
I guess that you're one request away from getting that data anyway, seeing you are authenticated at that point, so I guess there's no security issues 🤔
I am wondering if it makes sense though, the /auth/authenticate endpoint is to authenticate yourself, not to get the user data. By returning the user data, we make that endpoint slower for every time you authenticate. That being said, there's a good argument to be made that most people might want access to the user's info on login anyway.
rijkvanzanten
on 22 Nov 2019
Don't know if it makes sense or not. For example Firebase Authentication returns data. But I'm sure there are another authentication system not doing this like you.
Maybe we can pass a parameter to indicate if we request user data too.
anelad
on 22 Nov 2019
I agree with @anelad. Even I want this feature - IMO, we can get rid of another API call for getting a user detail after login if we get the user object in authentication API.
In fact, many well-known application is doing this. So It will be great if we have this feature in Directus.
tina-7span
on 26 Nov 2019
@rijkvanzanten - Returning the User Object to authentication API; doesn't have any security issue.
the /auth/authenticate endpoint is to authenticate yourself, not to get the user data.
I agree with you. But as @tinadetroja mentioned - the system will require the logged in user's data after log in. So if we provide it in the authentication API itself then another API call can be avoided.
bjgajjar
on 26 Nov 2019
Aight! Lets go ahead and add it in @bjgajjar
rijkvanzanten
on 26 Nov 2019
bjgajjar
on 27 Nov 2019
Related issues
magikstm
·
3Comments
Nitwel
·
3Comments
vuhrmeister
·
3Comments
cdwmhcc
·
3Comments
binary-koan
·
3Comments
Most helpful comment
Aight! Lets go ahead and add it in @bjgajjar