Secure Widget Views & Custom - Best Practices?

What’s the best practice for securing custom views?

The documentation obviously shows how to setup an application accessible via an ngrok URL, but I don’t see any reference to best practices for securing views.

https://monday.com/developers/apps/quickstart-view

Do we add authentication in the view? Pass data into the iFrame? Something else?

Sorry if I am just missing something, but didn’t see anything links in the documentation for View security.

Hi @kamescg

I do not have experience with views yet, but I did successfully build a number of integrations with the apps framework. The authorization is done on app level, not on feature level. Therefore I don’t think it makes any difference if you build integrations or views. At the app level you can specify your authorization endpoint. Within this endpoint you start the authorization handshake. This is basically a few requests, starting with redirecting to https://auth.monday.com/oauth2/authorize? with your clientid and a callback url:

  return res.redirect(
"https://auth.monday.com/oauth2/authorize?" +
  querystring.stringify({
    client_id: process.env.MONDAY_CLIENT_ID,
    redirect_uri: redirectUrl,
    state: state,
  })

);

The callback url is then called by the authorization handshake with a code.

router.get("/oauth/callback", async (req, res, next) => {
const code = req.query.code || null;
const state = req.query.state || null;
const error = req.query.error || null;

Then you do the final handshake to get the token (I store it in a database as you can see)

const authRequest = {
url: “https://auth.monday.com/oauth2/token”,
form: {
redirect_uri: redirectUrl,
client_id: process.env.MONDAY_CLIENT_ID,
client_secret: process.env.MONDAY_CLIENT_SECRET,
code: code,
},
};

request.post(authRequest, function (error, response, body) {
if (!error && response.statusCode === 200) {
const jsonBody = JSON.parse(body);
const token = jsonBody.access_token;
const scope = jsonBody.scope;
mySqlAccess.createToken(accountId, userId, accountUrl, token, scope);
res.redirect(backToUrlCommit);
} else {
res.redirect(backToUrlCancel);
}
});

These are just fragments of my code to do the authorization, but it should give you a general idea how to handle authorization. Hopes it gets you on track.

Thanks for the snippets. That’s the setup I figured - just wanted to make sure :slight_smile:

edit: After a little more digging it’s making more sense.

Hi @kamescg,

You might also want to check monday sdk when working on Views/Widget.