I’m trying to get my head round how to authenticate form submissions. I played with using hidden fields in a form and the api to get the member name, uuid and email. However, that’s not really secure is there any way I can be sure that submitted form data comes from a particular logged in user, ie with using some kind of token?
Use the uuid for the member. Its unique and difficult to guess.
1 Like
Is that sufficient? Sounds a bit exploitable? I have found this: Use Ghost authentication to login to custom app So I am thinking if my forms post to my own domain they could get hold of these cookies and authenticate the user…
here is where i have got to so far:
- make a node express app for the api just with a get on /process which reads the cookies
- make a location in nginx poiting /myapi/forms to this
- then on a ghost page embedd js as follows:
<script>
fetch(
'/myapi/forms/process',
{ credentials: 'include'},
);
</script>
my node app now gets the http-only cookies and sould be able to use the secret in the ghost settings to authenticate.
next step will be to make the api app serve some html to embed via an iframe and then hopefully I have an authenticated widget.
1 Like