Understanding Session Tokens

I am trying to understand how session tokens work in appery and it is not quite clear.

I created a appery database with one user. I created a appery.io security provider linking to the database. I have an API Express project where Allow only authenticated users to call REST APIs in this project is checked and the security provider selected.

Now when I go to test the service a session token is required. When I click on Obtain session token I can enter the username and password and it does indeed generate a session token. What is not clear to me is how does API Express know the session token is valid?

I am working towards creating a custom login flow where the username/password are stored in remote SQL database. Previous discussions and recommendations by Max stated

1. Create a login service which accepts username/password which are stored in an external database. The login service would consist of a SQL component (with SQL query to make a request to the external database).

2. If credentials are correct then generate a user session token (using your backend/database). You can save the session token in Appery.io database.

3. You can check this session token before any secured service invocation.

In moving forward to steps 2 and 3, I need to understand how to generate session tokens using my backend/database and save session token in appery.io database
Based on my observations in allowing only authenticated users to call REST APIs and generating the session token in appery. It is not clear how API Express knows the session token is valid.

Any insight would be appreciated.
1 person has
this question
+1
Reply
  • Some other thoughts regarding this topic...

    With respect to the advised external DB login flow, is it possible to enable "Secure REST API Allow only authenticated users to call REST APIs in this project" if not using apery.io database predefined users collections?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • Hello Jeffry,

    A sessionToken is generated using Appery.io database, so you have to have that user on that database to get the sessionToken. API Express can check that value, so it "knows" the valid sessionToken.
    So if you don't use Appery.io database/login feature it is impossible to use that secure REST.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • Whoa, what, you're kidding right? If this is true I almost dont know what to say. Almost two month ago Max advised on how to accomplish authenticating on external DB exposed via API Express

    https://getsatisfaction.com/apperyio/...
    Today we have out-of-the-box authentication support for Appery.io database and LDAP. Supporting external databases for authentication is on our roadmap.

    Here is a general solution/answer to your question:

    - Create a login service which accepts username/password which are stored in an external database. The login service would consist of a SQL component (with SQL query to make a request to the external database).
    - If credentials are correct then generate a user session token (using your backend/database). You can save the session token in Appery.io database.

    - You can check this session token before any secured service invocation.

    Today this flow is part of your app logic. We will simplify it once we have out-of-the-box authentication for an external database.

    "YOU CAN CHECK THIS SESSION TOKEN BEFORE ANY SECURED SERVICE INVOCATION"

    Seriously, what was all that about authenticating and generating a session token when it means absolutely nothing. You guys sent me on this mission to create a elaborate pseudo authentication scheme to secure the front while the back door remains wide open?

    Max, please tell me that your original statements are accurate and that we can secure the service using the flow you advised?
    • view 12 more comments
    • It would be custom logic. In API Express, right after the Start component, you can add a Script or Server Code component to check if a session token you generated is still valid. This is high level. I don't have an example.
    • I understand what you are saying now. They can still invoke the service, but custom logic within the service.

      Thank you for taking the time to explain this in a way I understand
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • Hello Support. From what I understand after reading comments about Session Tokens is that what I'm trying to do will require custom coding logic.

    I'm trying to use the 'update_script' server code logic to use for the profile page, but can't test because I keep getting the error that the userLogininfo session token is missing or not defined. This is the only line of code that is different than the server codes I created to update other components of the app, but this is the only logic that pulls directly from the registration/login information.

    Do I need custom server code logic written to perform this duty... update the registration database with additional information a user inputs after registering and then completing their profile page?

    Step 1: Customer registers
    Step 2: After registering, the customer completes their profile page

    Step 2 is where I'm having an issue with updating the registration database with the new information that the user has included in their profile after registering.

    If this is correct, please let me know so I can get this worked on sometime this week.

    Thanks.

    Ryan
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned

  • Database and server code information is probably important if you want to look at the information:

    Database: AKAUserDB
    Collection: AKAUserProfile
    Server Code: AKARegister_update_script_New_Profile

    Code that updates correctly and I used to create the update profile script
    Database: m1ExcelDATA
    Collection: 1dividend1_monthly
    Server Code: Dividend1_4update_script

    everything should be shareable with you. Please let me know if it's not and I will turn on. Thanks.

    Ryan
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned happy, confident, thankful, excited sad, anxious, confused, frustrated

  • Hello Ryan,

    You can keep all user's information in the same collection "users", so you don't need to create a new one.

    You are right, you need to call an update user service right after registration to update all new information in the database. Just call user update service directly from the application, using the session token and userID: https://docs.appery.io/reference#data...
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly happy, confident, thankful, excited sad, anxious, confused, frustrated indifferent, undecided, unconcerned