Skip to main content

How do I determine if a user is a viewer so I restrict them from using my app?

Hi, you can use something like this:
 

try {
        const ctx: any = await monday.get('context')
        const data = ctx?.data || {}
        const user = data.user || {}
        const permissions = user.permissions || data.permissions || {}
        const role = user.role || user.userKind || user.kind || data.role || null
        const viewer = Boolean(
          user.is_view_only || user.isViewOnly || user.isViewer ||
          permissions.is_view_only || permissions.isViewOnly ||
          (typeof role === 'string' && ['viewer','view_only','read_only','ViewOnly','Viewer'].includes(role))
        )
        setIsViewer(viewer)
      } catch (_) { setIsViewer(false) }

 

@miwas Thanks, that was very helpful

Do you have any idea how I can make the user should be asked for scopes authorisation after the app installation using seamless authentication?

So what you need to do for OAuth is something like this (attaching the code, I think you should clean it a bit and of course don’t forget to set env). By default it’ll request the user all the scopes that your app asks (you need to set it inside the app in the Developer Center)

router.get('/oauth/start', authenticateToken, async (req, res) => {
  try {
    const clientId = process.env.MONDAY_CLIENT_ID;
    const explicitRedirect = process.env.MONDAY_OAUTH_REDIRECT_URI;
    const backendBase = (process.env.BACKEND_URL || '').replace(/\/+$/, '');
    const redirectUri = explicitRedirect || `${backendBase}/api/monday/oauth/callback`;
    if (!clientId || !redirectUri) {
      return res.status(500).json({ error: 'Missing MONDAY_CLIENT_ID or MONDAY_OAUTH_REDIRECT_URI/BACKEND_URL' });
    }

    const returnTo = (req.query.return_to && String(req.query.return_to)) || (process.env.FRONTEND_URL || '');
    const stateJwt = jwt.sign(
      { userId: req.decoded.userId, returnTo },
      process.env.JWT_SECRET || 'your-secret-key',
      { expiresIn: '10m' }
    );

    const authUrl = new URL('https://auth.monday.com/oauth2/authorize');
    authUrl.searchParams.set('client_id', clientId);
    authUrl.searchParams.set('redirect_uri', redirectUri);
    authUrl.searchParams.set('state', stateJwt);
    if (req.query.subdomain) authUrl.searchParams.set('subdomain', String(req.query.subdomain));
    if (String(req.query.force_install_if_needed || '') === 'true') authUrl.searchParams.set('force_install_if_needed', 'true');

    // Return JSON with the URL so frontend can navigate (and include Authorization header on this request)
    res.json({ url: authUrl.toString(), redirect_uri: redirectUri });
  } catch (e) {
    console.error('[monday/oauth/start] error:', e?.message || e);
    res.status(500).json({ error: 'Failed to start OAuth' });
  }
});

 

Here is the doc: https://developer.monday.com/apps/docs/oauth

@miwas I have something like this but I don’t even know if it runs cause during testing carried out in the approval stage, it doesn’t work cause I’m also sending email but the QA is not receiving the email. Now, I have been told that oauth is not the best approach for a board view app, that i should use seamless auth. The whole thing is just confusing

Terms & ConditionsCookie settingsAccessibility statement