Hello,
The SDK provides a function to generate a sessionToken (JWT signed with our app CLIENT_SECRET), which can be used to authenticate call from an app frontend to its backend.
Currently, this JWT contains the following claims:
{
"dat": {
"client_id": "xxxxxxx",
"user_id": 1234564879,
"account_id": 1234564879,
"slug": "instance-slug",
"app_id": 123456,
"app_version_id": 123456,
"install_id": -2,
"is_admin": true,
"is_view_only": false,
"is_guest": false,
"user_kind": "admin"
},
"exp": 1712402403
}
The idea would be to add context in these claims. For exemple, if this JWT is issued in:
- a board view feature: provide
boardId,instanceId - an item view feature: provide
boardId,instanceId,itemId - and so on for all view features
Main usage for this added context is security.
Example: my user is doing some setup in my app frontend. This setup is linked to a specific board. When setup is completed, it is sent to app backend endpoint /api/save/:boardId to be saved. The :boardId URL param is prodivded by the frontend, but I can’t validate this value wasn’t falsified. Which mean, an user could change the :boardId param and replay the request to act on another board.
Current workaround would be to setup Oauth authorization to retrieve user token, then call monday API in backend to verify user permission against the requested board. But honestly, it add a lot of complexity in apps.