How to Attach Tokens in Trongate MX
The mx-token
attribute in Trongate MX allows you to attach Trongate Tokens to outgoing HTTP requests. This feature enables seamless integration of Trongate's authentication and authorization system with your AJAX requests.
Syntax
<element mx-token="YOUR_TRONGATE_TOKEN">
The mx-token
attribute should contain a valid Trongate Token, which is a random string used for authentication and authorization purposes.
Usage
- Add the attribute to an element that triggers an AJAX request (e.g., a button with
mx-get
ormx-post
). - Set the value to your Trongate Token.
Example
The code sample below is provided for the purposes of clarity only. Never hard code a Trongate Token value into an HTML template or view file!
<button mx-get="http://localhost/api/protected_resource"
mx-token="hnBxP56rZ6rMtUbxqS2gCEE6beKjUd7X">
Fetch Protected Resource
</button>
In this example:
- Clicking the "Fetch Protected Resource" button triggers an AJAX GET request to the specified URL.
- The request includes the Trongate Token in the header for authentication.
Obtaining Trongate Tokens in PHP
Trongate Tokens can be obtained within any working controller file, within the 'modules' directory. The particular PHP code that is used to fetch a Trongate Token value may differ, depending on the use case. However, the following code snippet demonstrates one possible technique that could be used to fetch a Trongate Token value.
$this->module('trongate_tokens');
$trongate_token = $this->trongate_tokens->_attempt_get_valid_token();
Another example of a mechanism by which a Trongate Token could be fetched is by calling the 'Trongate Security' module. For example:
$this->module('trongate_security');
$trongate_token = $this->trongate_security->_make_sure_allowed();
In both of the examples offered, the Trongate Token would be assigned with a variable of false (boolean) if the user was not able to be authorized/authenticated.
Passing Tokens Into View Files
Once the token is obtained, it can be passed to a view file:
$data['trongate_token'] = $trongate_token;
$this->view('manage', $data);
In the view file, you can then inject the token into the JavaScript:
<script>
const trongateToken = '<?= $trongate_token ?>';
</script>
How It Works
When an element with the mx-token
attribute triggers an AJAX request:
- Trongate MX retrieves the token value from the attribute.
- The token is added to the request headers with the key 'trongateToken'.
- The server can then use this token for authentication and authorization purposes.
- Security: Always use HTTPS when sending Trongate Tokens to ensure the tokens are encrypted during transmission.
- Token Management: Implement proper token management on the client-side, including secure storage and refreshing of tokens when necessary.
- Scope: Use tokens with appropriate scopes and permissions for the specific API endpoints being accessed.
Additional Information:
- Trongate Tokens are random strings, typically 32 characters long.
- The
mx-token
attribute can be used in conjunction with other Trongate MX attributes likemx-get
,mx-post
, etc. - Server-side validation of Trongate Tokens is handled by the Trongate framework's authentication system.
Warning: Be cautious when exposing Trongate Tokens in your HTML. Ensure that your application's security measures prevent unauthorized access to these tokens.
Additional Notes
- The
mx-token
attribute is processed client-side by Trongate MX before sending the request. - If the
mx-token
attribute is present, it takes precedence over any token specified in themx-headers
attribute. - Trongate Tokens can be used for various authentication schemes, including session-based and stateless authentication.
By utilizing the mx-token
attribute, you can easily integrate Trongate's authentication system into your AJAX requests, providing a secure and seamless way to access protected resources in your Trongate applications.