Hello Ghost community!
I am trying to follow the advice of @disaza and @egg as laid out here and here.
I am trying to get a JWT for a signed-in member by making a GET request to /members/ssr but I merely get a 404.
Is it still possible to get a JWT for a logged-in Member?
Thanks for your help,
Frei
I discovered the solution to the problem that I was having.
I realize now that I should have named this thread:
“Validating Member Authentication Cookie”.
What I discovered is that Member Authentication is managed via the ghost-members-ssr cookie, that this cookie is signed by the Ghost express server and is scoped to the specific domain hosting the ghost server.
This credential *can be used to authenticate custom software, which one is writing in order to integrate the Ghost CMS into a larger system.
However, the Ghost source code needs to be slightly adjusted --the MembersSSR.js file needs to be manually included and customized, so that the domain of the members-ssr-cookie is set --this makes the cookie valid for all subdomains as well.
Besides that the custom software must have access to the theme_session_secret from the settings table of the Ghost MySQL database. This key needs to be set on custom server to validate signed cookies against.
. . .
Now I’m trying to figure out how to use the admin_session_secret to validate Admin cookie/token.