Retrieving sessiontoken / managing authentication for browser app

Hey,

I am developing a JS browser app, inspired by the abandoned NxGanttDeck

However, I could not find a way to get a session token. I use the nextcloud login flow to automatically create an app login. This is great for standalone apps, but it forces me to store the username and password inside the browser (currently I am using a same site cookie). So I’d prefer to send the credentials to some endpoint to get a session token, but I could not find any information on that.

Does anyone have experience with retrieving session tokens via app or alternative solutions?

Any tips or experiences are very much appreciated.

Well, that depends sort of on your use case.

NC app

If your browser app should be published and deployed as an app of the NC server, your would best use the @ nextcloud/axios package, that should handle the login for you (as well as CSRF).

External app

If you want to access the NC from a foreign service, keep in mind that you need to cope with CORS. Not all endpoints are CORS-aware, so check that before investing too much effort.

You could either store the credentials inside your custom app’s backend but be aware of the security considerations.

Alternatively, you could ask the user to login to your app (aka provide username and password) and use that for any login. This is not stored persistent but just in the JS frontend of the browser. This approach breaks however when using 2FA.

I am not aware of creating a token that has a fixed/finite lifetime to handle in a session. All I know are app tokens with infinite lifetime that you should store and reuse.

1 Like

Thank you very much for your input!

I guess I’ll eventually remove the credentials from the cookie and use input fields and provide the app login flow as I am already doing so that the user can easily create an app password that works without 2FA.

You could also think about embedding the project you are working on in a NC app. That would save you quite some hassle, and as you are connecting to a NC instance anyway, it makes sense to install things there directly. Adding a publicly reachable page should not be a big issue here.

Yes, unfortunatley I coped with the hassle already so moving everything to a nextcloud app will be additional work. But I might do that anyways as it seems to be the proper way to do it.

1 Like