This is about authenticating calls from Smart Actions to an external service. I’m hoping to learn best-practices for making a secure call to our service’s main API.
Our application uses a highly-customized API with fine-grained controls over the state of each resource. Rather than duplicate the functionality for the admin actions allowed by the primary API into Forest, I’d like to use Forest Smart-Actions to collect the inputs and send those to our external API. Our API uses standard JWT auth.
I can see the req.user object in my Smart Action. However, I’m of how to authorize that user to interact with my external API.
I expect that I should write a JWT class/service that extracts some fields from the
req.user object, creates a new short-lived JWT, and fires off the request to the other API before resolving. However, I’m not sure if that should be in each smart action, or if I can extend the
permissionMiddlewareCreator.smartAction(), or if I should write my own middleware function that wraps all my external calls.
- Project name: …tiller
- Team name: …personal space
- Environment name: …Development (FEAT/ACTIONS)
- Agent type & version: …
- Recent changes made on your end if any: …
- I found documentation for relying on an external API call. However, I’m still unsure what the best practice would be for an API with JWT auth.