I am using rest API to login in customer account usig the below URL and details:
URL: https://magento.host/index.php/rest/V1/integration/customer/token
Header: "Content-Type:application/json"
Data: "{"username":"[email protected]", "password":"customer1pw"}
and successful request returns a response body with the token:
asdf3hjklp5iuytre
As we are now logged in and all the call after login that we need to make using Rest API should use the below format:
URL: http://magento.ll/index.php/rest/V1/customers/me
Header: Authorization: Bearer asdf3hjklp5iuytre
Now My Question is:
How we will verify that token is valid for other subsequent API call ? How can we get customer details using Token Provided in Header ?
Please explain the flow.
Updated:
When we try to access this below API url with valid Headers, It call getById function of CustomerRepository. But in getById function there is one argument called $customerId. I am not sure how it is coming but In cumstomer module webapi.xml for this function, I found there is way to pass customerId as param and It will not send from requester but Magento set it Internally.
http://magento.ll/index.php/rest/V1/customers/me
vendor/magento/module-customer/etc/webapi.xml
<route url="/V1/customers/me" method="GET">
<service class="Magento\Customer\Api\CustomerRepositoryInterface" method="getById"/>
<resources>
<resource ref="self"/>
</resources>
<data>
<parameter name="customerId" force="true">%customer_id%</parameter>
</data>
So I did the same thing, In my function and It is working fine. Here my doubt: Do we don't need to check if token is valid or not ? Is this all managed by Magento Internally ?
1 Answer 1
So, let's go step by step.
- You are making a token request using the user credentials: login and password
- You are getting the generated token back for current user if the credentials are valid
- Now you are able to make requests to the resources in "self" and "anonymous" scope ("admin" scope is only available for admin users)
- A GET request to the
/rest/V1/customers/meURL with a proper token in the header returns information about current user (the system detects the session by token and returns current user information)
So, you can make any other request allowed for current user using the proper token (retrieved at step 2) in the same way as it is described at step 4. So, the main point here is to pass the proper token in the header for each call you make to the API.
The /rest/V1/customers/me API entry point has "self" ACL access. That means that the customer_id parameter will be retrieved by verifying your token and no additional checks are required. The resources with "self" access are only allowed for current customer and the system will pick up the correct customer based on your token. So, you are not able to set customer_id of another customer while using the resources with "self" access.
-
Thanks for your answer. Actually I have one custom module of user, From mobile app side, they are requesting to fetch all the records of logged in user and passing the Token in Header. Here I have doubt in my API function, how I will get the customer details ? Because Token is coming in header. what is the good approach to do this ?Pankaj Pareek– Pankaj Pareek2017年06月20日 13:32:05 +00:00Commented Jun 20, 2017 at 13:32
-
You should use
V1/integration/customer/tokenin order to retrieve the token. Then, store this token somewhere in your application and use it for all other requests.V1/customers/mewith that token will return the logged in user details (first name, last name, default addresses etc). Or you have some difficulties with sending the header?Yaroslav Rogoza– Yaroslav Rogoza2017年06月20日 19:38:46 +00:00Commented Jun 20, 2017 at 19:38 -
Thanks I understand API flow basics. I updated my question in more detailPankaj Pareek– Pankaj Pareek2017年06月21日 04:56:42 +00:00Commented Jun 21, 2017 at 4:56
-
1Thank you for the update. Now it's clear. I've updated my answer as well.Yaroslav Rogoza– Yaroslav Rogoza2017年06月22日 11:06:28 +00:00Commented Jun 22, 2017 at 11:06