Using token to load report using javascript

Martin North shared this question 2 years ago
Answered

We would like to login a user using the web service, and then use the token when embedding the report using javascript. This is described in the wiki under "Basic Use" where the token is passed directly to the report using a url parameter.


We would like to use the method described in "Advanced Use" where the javascript load the report. In the document it lists the options, which include username and password, but don't include token.


Is this an omission from the document, or when loading the report in javascript, is username and password the only way to authenticate? This seems like it might be less secure?


I'm hoping to find out the easy way, before I assign developers and find out the hard way.

Comments (4)

photo
1

After posting I found this thread https://community.yellowfinbi.com/topic/loadreport-using-token, but I don't understand the final comment.

photo
1

Hello Martin,


The bit of code forces the system to generate a token (using a web redirect call) but is only usable with the webAPI


As a work around:


you can either embed a user/password in the JS (unsecure, but it can go to a restricted account which has limited access to items)

Or you can use a web form to grab a user/pass and pass it into the JS call - this may give some weird results if the user can't be authenticated correctly.


I hope that this helps and makes sense,

Best regards,

Pete

photo
1

Hi Pete,


Thanks for your answer, but this appears to be contrary to the Javascript API Basic Use documentation, which lists the token as a Report URL parameter.


I'm amazed that the token is supported in the "basic" scenario, but the not the "advanced" use case. So - there is no way to use the web service to login a user, use the token with the javacript API, and also pass filter values to the report? This is the specific scenario I need.

photo
1

Hello Martin,


I know it sounds strange, but that's the way the developers have set the system to work.

The simple version of the API is just to embed the report into a page and has limited options, but does have the "token" option for user validation - this script tag cannot be built programatically and is a one-shot item.


Usually, this simple mechanism will use a guest user and the token is a short way of allowing privilege uplift to a specified user when the code can be viewed by anyone


The more advanced JSAPI calls allow for "in script" building of report information (report switching/cycling in the same page for example)

As this is a more fully featured command set, the username/password system has been implemented to allow custom web apps to be built with full user control.


So unfortunately, tokens and filters don't work together in this capacity, but you can use a username/password + filter combo


I'm sorry that it's a bit of an unsatisfying answer!

Best regards,

Pete