Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[REST API] Access to some REST API endpoints fails with plugin access token #1307

Open
1 of 2 tasks
pierrecamilleri opened this issue Nov 15, 2024 · 0 comments
Open
1 of 2 tasks

[REST API] Access to some REST API endpoints fails with plugin access token #1307

pierrecamilleri opened this issue Nov 15, 2024 · 0 comments

Comments

@pierrecamilleri
Copy link

pierrecamilleri commented Nov 15, 2024
edited
Loading

Describe the current behavior

I am not sure if this is a bug or a feature, but it looks like a bug to me.

The documentation of the plugin getAccessToken function says :

The returned token can be used to authorize regular REST API calls that access the content of the document.

However, this token does not work for some API endpoints, despite the plugin having complete access to the document.

For instance, at least the /download/csv and /download/table-schema are concerned.

I have not found any workaround (except asking for the user to provide an ApiKey), and my question on the community forum has been left unanswered.

Steps to reproduce

  1. Create a new document with a table "Table1" (hardcoded in script)
  2. Add custom widget to page with url : https://validata-table.gitlab.io/validata-grist-plugin/bug-report.html
  3. Give it full document access
  4. Look at response status and body on widget window : response status 403 and body access denied

I reproduce the widget code here (for reference, and in the case it would not be available in the future).

Widget code 
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>onRecords</title>
    <script src="https://docs.getgrist.com/grist-plugin-api.js"></script>
  </head>
  <body>
    <pre id="csv">Waiting for data...</pre>
    <script>
      grist.ready();
      grist.onRecords(async function(records) {
        const tokenInfo = await grist.docApi.getAccessToken({readOnly: true});
        responseData = await fetchCSV(tokenInfo)
        document.getElementById('csv').innerHTML = responseData
      });

      async function fetchCSV(tokenInfo) {
        const queryParams = new URLSearchParams({
          auth: tokenInfo.token,
          tableId: "Table1"
        })

        const url = `${tokenInfo.baseUrl}/download/csv?${queryParams.toString()}`

        responseData = ""

        try {
          const response = await fetch(url);

          responseData += "Request:<a href=\"" + url + "\"> "+ url + "</a>\n"
          responseData += "Response Status:" + response.status + "\n"

          const responseBody = await response.text()

          responseData += "Response Body:" + responseBody + "\n"
        } catch (error) {
          responseData += "Error:" + error
        }

        return responseData
      }
    </script>
  </body>
</html>

Without the auth query parameter, I get a different message {"error":"No view access"}.

Describe the expected behavior

I expect the csv export API endpoint to be available from within the widget, with the access token given as auth query parameter.

Where have you encountered this bug?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pierrecamilleri