Skip to content

[REST API] Access to some REST API endpoints fails with plugin access token #1307

New issue
New issue
Open
#1604
Open
[REST API] Access to some REST API endpoints fails with plugin access token#1307
#1604
@pierrecamilleri

Description

@pierrecamilleri
pierrecamilleri
opened on Nov 15, 2024

Describe the current behavior

I am not sure if this is a bug or a feature, but it looks like a bug to me.

The documentation of the plugin getAccessToken function says :

The returned token can be used to authorize regular REST API calls that access the content of the document.

However, this token does not work for some API endpoints, despite the plugin having complete access to the document.

For instance, at least the /download/csv and /download/table-schema are concerned.

I have not found any workaround (except asking for the user to provide an ApiKey), and my question on the community forum has been left unanswered.

Steps to reproduce

  1. Create a new document with a table "Table1" (hardcoded in script)
  2. Add custom widget to page with url : https://validata-table.gitlab.io/validata-grist-plugin/bug-report.html
  3. Give it full document access
  4. Look at response status and body on widget window : response status 403 and body access denied

I reproduce the widget code here (for reference, and in the case it would not be available in the future).

Widget code 
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>onRecords</title>
    <script src="https://docs.getgrist.com/grist-plugin-api.js"></script>
  </head>
  <body>
    <pre id="csv">Waiting for data...</pre>
    <script>
      grist.ready();
      grist.onRecords(async function(records) {
        const tokenInfo = await grist.docApi.getAccessToken({readOnly: true});
        responseData = await fetchCSV(tokenInfo)
        document.getElementById('csv').innerHTML = responseData
      });

      async function fetchCSV(tokenInfo) {
        const queryParams = new URLSearchParams({
          auth: tokenInfo.token,
          tableId: "Table1"
        })

        const url = `${tokenInfo.baseUrl}/download/csv?${queryParams.toString()}`

        responseData = ""

        try {
          const response = await fetch(url);

          responseData += "Request:<a href=\"" + url + "\"> "+ url + "</a>\n"
          responseData += "Response Status:" + response.status + "\n"

          const responseBody = await response.text()

          responseData += "Response Body:" + responseBody + "\n"
        } catch (error) {
          responseData += "Error:" + error
        }

        return responseData
      }
    </script>
  </body>
</html>

Without the auth query parameter, I get a different message {"error":"No view access"}.

Describe the expected behavior

I expect the csv export API endpoint to be available from within the widget, with the access token given as auth query parameter.

Where have you encountered this bug?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions