Hi all,
I’m trying to get an impersonation URL for a user, similar to what’s described here:
I’m successfully creating a jwt using the Owner’s staff token, as the article says, like so:
let GHOST_TOKEN = jwt.sign({}, Buffer.from(GHOST_SECRET, 'hex'), {
keyid: GHOST_ID,
algorithm: 'HS256',
expiresIn: '5m',
audience: '/canary/admin'
});
I’m pretty sure I’m getting a valid key, because I can get data from the members endpoint OK, like so:
let result = await fetch('https:/mysite.ghost.io/ghost/api/admin/members/' + id , {
method: 'GET' ,
headers: {
'Authorization': 'Ghost ' + GHOST_TOKEN}
})
let json= await result.json()
[I also checked the JWT with an online tool, which said it was valid.]
HOWEVER, when I switch to the /ghost/api/canary/admin/members/' + id + '/signin_urls/ endpoint, I get the following error:
message: 'Permission error, cannot read member_signin_url.',
context: 'You do not have permission to read member_signin_urls',
type: 'NoPermissionError',
So… although my JWT works elsewhere, it isn’t working here. Can anyone give me a nudge in the right direction?
I read this thread (Admin API endpoint 403 forbidden - #7 by Kevin) and maybe I need to be doing user authentication instead of using the owner’s staff token? But that thread is older than the Discourse link above, which seems pretty clear about the owner’s staff token working…
help?