Skip to main content

Secure Widget Views & Custom - Best Practices?

  • July 11, 2020
  • 3 replies
  • 2417 views
kamescg

What’s the best practice for securing custom views?

The documentation obviously shows how to setup an application accessible via an ngrok URL, but I don’t see any reference to best practices for securing views.

https://monday.com/developers/apps/quickstart-view

Do we add authentication in the view? Pass data into the iFrame? Something else?

Sorry if I am just missing something, but didn’t see anything links in the documentation for View security.

This topic has been closed for replies.

3 replies

basdebruin
  • basdebruin
  • Community Expert
  • July 11, 2020

Hi @kamescg

I do not have experience with views yet, but I did successfully build a number of integrations with the apps framework. The authorization is done on app level, not on feature level. Therefore I don’t think it makes any difference if you build integrations or views. At the app level you can specify your authorization endpoint. Within this endpoint you start the authorization handshake. This is basically a few requests, starting with redirecting to https://auth.monday.com/oauth2/authorize? with your clientid and a callback url:

  return res.redirect(
"https://auth.monday.com/oauth2/authorize?" +
  querystring.stringify({
    client_id: process.env.MONDAY_CLIENT_ID,
    redirect_uri: redirectUrl,
    state: state,
  })

);

The callback url is then called by the authorization handshake with a code.

router.get(“/oauth/callback”, async (req, res, next) => {
const code = req.query.code || null;
const state = req.query.state || null;
const error = req.query.error || null;

Then you do the final handshake to get the token (I store it in a database as you can see)

const authRequest = {
url: “https://auth.monday.com/oauth2/token”,
form: {
redirect_uri: redirectUrl,
client_id: process.env.MONDAY_CLIENT_ID,
client_secret: process.env.MONDAY_CLIENT_SECRET,
code: code,
},
};

request.post(authRequest, function (error, response, body) {
if (!error && response.statusCode === 200) {
const jsonBody = JSON.parse(body);
const token = jsonBody.access_token;
const scope = jsonBody.scope;
mySqlAccess.createToken(accountId, userId, accountUrl, token, scope);
res.redirect(backToUrlCommit);
} else {
res.redirect(backToUrlCancel);
}
});

These are just fragments of my code to do the authorization, but it should give you a general idea how to handle authorization. Hopes it gets you on track.

kamescg
  • kamescg
  • Author
  • Participating Frequently
  • July 11, 2020

Thanks for the snippets. That’s the setup I figured - just wanted to make sure 🙂

edit: After a little more digging it’s making more sense.

LaurentConroux
  • LaurentConroux
  • Participating Frequently
  • July 13, 2020

Hi @kamescg,

You might also want to check monday sdk when working on Views/Widget.

GitHub
Terms & ConditionsCookie settingsAccessibility statement