OAuth token for integrations

devagrawal09 · November 26, 2020, 1:05pm

I am creating an integration that sends data from monday.com to an external application. The integration flow is as such:
Whenever an item is created or updated in a board, the integration triggers my custom action url with the board ID from context. The custom trigger endpoint then uses the board ID to get data about the board (all the groups, columns and items) using the graphql API.
To access the API, the app also includes oauth flow for Monday.com api.

My question is: when I receive the update in my custom trigger endpoint, how do I decide which access token to use? All I receive in the custom trigger right now is the board id, and the oauth flow gives me the user id. How do I establish a relationship between the user and board?

I also looked into custom entities, but it doesn’t seem to suit my use case.

dipro · November 26, 2020, 3:15pm

Hey @devagrawal09 – good question.

From what you’re describing, t sounds like you’re using a custom action to update the external application. Is that correct?

If that’s the case, you can add more input fields to your custom action to receive this data. For example, you can set up the action to include the “board” and “user” input fields:

You can then set the block to get these fields from the integration “context”. This means that our server will send you the ID of the current board and user when the action is called. Here’s an example of that in action (no pun intended):

This information should be enough for you to choose the right user’s token.

Let me know if that helps!

devagrawal09 · November 26, 2020, 3:52pm

@dipro thank you for the response! Yes, I am using custom action, sorry for not mentioning that earlier. There might be one issue with the solution though, it is possible that the user who triggered the recipe and action is different from the person who authorized my application and provided the token. The user id sent along in the block is the id of the person who triggers the recipe, is it not? Please correct me if I’m wrong.

basdebruin · November 26, 2020, 4:54pm

hi @devagrawal09

Are you looking for the userid that has requested the monday token through an OAuth handshake?
If so, can’t decode the token, like:

const jwt = require("jsonwebtoken");
const tokenDecode = jwt.decode(token);
console.log(tokenDecode.uid);

devagrawal09 · November 26, 2020, 8:42pm

Thanks, I did that already. The issue is that this user id might not be the same as the user id that is sent to me in the custom integration.

basdebruin · November 26, 2020, 9:41pm

Looks like we are not fully in sync. I read your previous reply and was under the impression that you were looking for the userid of the user who added the recipe to the board.

The userid which is sent in a webhook is the userid who initiated the action (e.g. changed a status).

When not using webhook I like the solution from Dipro to add the user in the recipe builder and define it’s originin as “Context”.

Another solution is to read the activity log and check which user last changed the column triggering the event. (should be very high up in the activity log)

devagrawal09 · November 27, 2020, 8:22am

I agree we are not in sync. I do want the userid of the user who added the recipe to the board, and I know I can get that by decoding the oauth token. I also know that the userid send in a webhook is the id of the user who initiated the action.
My issue is that once I receive the webhook/recipe action, I need to decide which access token to use to make API calls. If the user who initiated the action is the same as the user who added the recipe to the board, then I can just look for the access token related to the user id in my database. But if there is another user who triggered the action on the same board, how do I decide which access token to use?
Please let me know if I need to clarify this issue more.

basdebruin · November 27, 2020, 9:08am

Starting to understand (I think ). Still a little confused why you want to execute the API call with a token other than the token from the user who added the recipe to the board. IMHO this can become very messy. Assume I added the recipe to the board and you trigger the automation. The API call should be done under my token as you might have different board permissions. I use the below piece of code at the start of all my functions that are linked to my endpoints.

try {
    var { authorization } = req.headers;
    if (!authorization && req.query) authorization = req.query.token;
    const { accountId, userId, aud, exp, iat } = jwt.verify(authorization, envVars.signingSecret);
    req.session = { accountId, userId, aud, exp, iat };
  } catch (err) {
    res.status(401).json({ error: "not authenticated" });
  }

  const routePath = "https://" + req.headers.host + "/" + envVars.appCode + req.route.path;
  if (req.session.aud !== routePath) return res.status(401).json({ error: "not authenticated" });

  //Get the token from the token table
   const token = await mySqlAccess.readToken(req.session.accountId, req.session.userId, envVars.appCode);

devagrawal09 · November 27, 2020, 9:27am

I don’t want to execute the API call with a token other than the token from the user who added the recipe to the board. Let me explain it this way -
Let’s say you are the one who added the integration to a board, and also used oauth to provide a token. In the integration server, there is now an access token that is related with your user id.
Now let’s say I perform an action on your board that triggers the recipe. The recipe sends the board id, and my user id to the integration server. Now because I am not the one who provided the token, the integration server cannot find an access token with my user id. How does the integration server know that it has to find an access token related to your user id, when all it received in the integration recipe is my user id?

basdebruin · November 27, 2020, 10:07am

Sorry, still not getting it . When you say “integration server” is that your backend handling the endpoint configured as custom action? I think you ar wrong by saying that integration server receives your user id, it actually receives my user id (as the creator of the recipe). See my code snippet how I get the accountId (I use my server for many accounts) and userId from the authorization header to get the token (that is the token for the one who created the recipe).

I don’t even have (not do I want to) the tokens for all possible users in my customers accounts. I only have tokens from people who actually added the recipe on one of their boards.

devagrawal09 · November 27, 2020, 7:53pm

Oh okay I did not realize that. I thought the id sent is that of the user who triggered the action. That solves all my problems! Thank you very much

AlexSavchuk · November 28, 2020, 1:27pm

@devagrawal09

I’m glad Bas was able to help - he’s always super insightful

Please feel free to reach out to the community if there’s anything else you’d like to clarify regarding building apps or using the API.

-Alex