Attaching Tokens Using JavaScript
Overview
When working with JavaScript, it is essential to include the Trongate token in the HTTP request headers for authentication and authorization. This ensures that the server can validate the user's identity and authorize access to protected resources. Below are demonstrations of how to attach a Trongate token to HTTP requests using JavaScript, specifically with XMLHttpRequest and the modern Fetch API.
Note: The Trongate token should be included in the trongateToken header for all authenticated requests. Ensure that the token is securely stored and transmitted over HTTPS to prevent unauthorized access.
Technique 1: Using XMLHttpRequest
The XMLHttpRequest object provides a traditional way to send HTTP requests in JavaScript. Below is an example of how to attach a Trongate token to the request headers using this approach:
Explanation
- targetUrl: Replace this with the actual URL of the Trongate API endpoint you wish to interact with.
- token: Replace this placeholder with the actual Trongate token generated for the user.
- setRequestHeader: The
trongateTokenheader is explicitly set to include the token for authentication. - onload: This event handler processes the server's response once the request is complete.
Technique 2: Using Fetch API
The Fetch API offers a more modern and promise-based approach to making HTTP requests. Below is an example of how to attach a Trongate token to the request headers using the Fetch API:
Explanation
- targetUrl: Replace this with the actual URL of the Trongate API endpoint you wish to interact with.
- token: Replace this placeholder with the actual Trongate token generated for the user.
- headers: The
trongateTokenheader is included in the request to authenticate the user. - Promises: The
Fetch APIuses promises to handle asynchronous operations, making it easier to manage responses and errors.
Developers who are using Trongate MX are advised to use the 'mx-token' attribute to automatically add token data to HTTP requests. For more information, click here.
Fetching Tokens from HTTP Headers Using Pure PHP
In server-side PHP code, tokens sent via HTTP headers can be accessed directly using the $_SERVER superglobal. For example:
In the code sample above, a $token variable is assigned the value of a 'Trongate token' passed via an HTTP request header. If no such header is found, the $token variable will be assigned a boolean value of false.
The method, on Trongate Tokens module, automatically checks headers for a valid Trongate token.
Accessing token data from the header via the $_SERVER superglobal does not confirm whether the token passed via the header is valid.
For guidance on how to validate tokens, refer to the token validation documentation.
Security Considerations
When attaching tokens to HTTP headers, keep the following security considerations in mind:
- HTTPS: Always transmit tokens over HTTPS to encrypt the data and prevent interception by malicious actors.
- Token Storage: Store tokens securely on the client side. For web applications, consider using secure cookies or session storage to minimize exposure.
- Token Expiry: Ensure that tokens have a reasonable lifespan and implement mechanisms to refresh or regenerate them as needed.
- Error Handling: Implement robust error handling to detect and respond to failed authentication attempts or expired tokens.
We're continually improving the Trongate documentation. If anything is incorrect, unclear, incomplete, or could be better, we'd genuinely appreciate your input.
Share your thoughts in the Documentation Feedback.