Where to put app settings and how to authenticate on settings page?

Forum|Forum|3 years ago
November 29, 2022
27 replies
1826 views

oalbrecht
Participating Frequently

I’m building an integration and have the need for a settings page for the integration. Where do you recommend that settings page is added?

I noticed there’s an Account Settings View that can be added to an app. I was trying to add a settings page there using a custom URL from my server, but am having issues with authentication. I noticed that JWT is not used for that page, but instead a session token is passed to the page. Trying to use the Monday SDK and setting this token with monday.setToken(sessionToken) leads to a “Not Authenticated” response once I try and make an API call with monday.api(MY_QUERY).

If you recommend I use the Account Settings View for an apps settings, how should I authenticate with my server so I only show the settings relevant to that user?

Another option I’ve seen is using a Board View, but then the page is tied to a board, which doesn’t seem to make sense from an app settings perspective, since the integration isn’t board-specific.

Show first post

1
2

Forum|pagination.label 2 / 2

A

anon29275264
Participating Frequently
Forum|Forum|2 years ago
December 4, 2023

The account_id, user_id, app_id - everything you’d need to use it for authenticating a requests… here is why.

The token is used for authentication between a front end app and a backend for the app - this is its purpose per the documentation.

Since this thread started out being about app settings apps, if the app has a backend where settings need to be set (entirely conceivable) then anything we send to the backend must include the account_id at a bare minimum just to work. We also need to send the token to authenticate. The token contains the account_id, so its a great way to send the account_id. Even if we sent the account ID in the request body, we’d need to verify the token is for the same account because otherwise someone could from their own account manipulate requests and access other other accounts! Thats why the token contains the account_id, to prevent that!

Lastly we must validate the payload if we use it, because we are required to do so per the marketplace approval process - and that is why we need its structure, types, etc. defined, so we can adhere to the security requirements monday.com has placed on us.