[Guide] Authenticated requests to Discourse API

Continuando la discusión desde [GUIDE] Kodular + Discourse Community Implementation:

I have created this topic to complement the good work of @Gordon_Lu in documenting how to use parts of the Discourse API from Kodular :handshake:t2:

Hello everyone :wave:! I think it’s been a while since I’ve been in the community.
Today I have seen this topic, which I would like to complement by sharing some things that I have managed to implement using Kodular :smiley:

Unlike other methods that use Custom WebView + Cookies, this guide will focus on Discourse’s User API keys specification :hammer_and_wrench:, the same used by applications such as DiscourseHub (the mobile application of :discourse: Discourse), to perform API actions in an authenticated way (for example, access secret places, give likes, etc.)

This implementation is quite complex to do directly from Kodular :confused:, since it is possible that there is an error in the Cryptography component or at the time of URI encoding, so I have decided to create a small API called Discourse Flow, which will handle all these steps of a much simpler way :white_check_mark:

1. Calling Discourse Flow

Endpoint: https://api.yanquisalexander.me/discourse/flow

Method: GET

Query Parameters (Optional):
  • discourse_url

    • Discourse site url, default is meta.discourse.org
  • application_name

    • App name, this will be displayed on the consent screen and in the login history, default to Discourse App
  • clientId

    • Client identifier, this must be unique, by default discourse-mobile- followed by a randomString
  • redirect_uri

    • Url to which the payload will be sent once the authentication flow is complete, must be inside the SiteSetting allowed user api auth redirects, default is https://api.discourse.org/api/auth_redirect, since all Discourse sites include it by default, including Kodular Community
  • scopes

    • Scopes that the generated User API Key will use (separated by comma), default to read,write,notifications,session_info
    • Allowed scopes:
      • read
      • write
      • message_bus
      • push
      • one_time_password
      • notifications
      • session_info
      • bookmarks_calendar
      • user_status

After getting the data, which is returned in JSON format, I recommend saving it (perhaps passing it to Dictionary or something) in a TinyDB, perhaps with a namespace “@discourse/flowData” or whatever you want to call it.

2. Obtaining the Token

Endpoint: https://api.yanquisalexander.me/discourse/token

Method: POST

Query Params:

  • discourse_url

Body params (required):

  • payload

    • Gets after Discourse redirects to redirect_uri
  • private_key

    • Obtained in the previous step

Returns: Token and currentUser

How to get token using Blocks

The Flow call returns a json that contains some metadata, including the redirect_to value, this URL should be used by, for example, a WebView.

In my case, I added a Page Loaded, to find out if the Current URL contains https://api.discourse.org, since it is the redirect_uri that I chose, and thus get the payload

After making the POST request, it returns a json with two values, token and currentUser, “token” contains the decryption of the payload, and currentUser has the information of the current user

To use the token and make an authenticated request, the User-Api-Key header must be used, with the obtained token (which is inside token.session.key)

Soon, I will be improving this guide and posting an AIA and a demo APK, I will also make this topic a Wiki in case anyone wants to contribute :open_book:

1 Like