I'd like to call into the API from within some JavaScript code, purely running in the browser.
How can you authenticate safely if you want to use the API purely on a client side application? Many APIs allow you to restrict a token to a single or set of referrers (so they only work on sites under certain domains). Is there a similar mechanism within NationBuilder's API?
Do you like this suggestion?
Showing 14 reactions
Sign in with
Certified Developer
It would be a nice fit for a public subset of the API tho and would definitely be beneficial!
Certified Developer
They allow you to open up the API for a specific referrer using a token generated, so you can make a token (similar to the broad use ones available now), but restrict them to a specific domain (ie: your nation). See their docs for examples: https://developers.google.com/maps/documentation/business/places/auth#limiting_referrers This would allow you to write “apps” in javascript on your nation that hit into the API, and work around a huge number of the limitations in the system as it stands now.
I guess two possible ways this could be supported by NationBuilder:
1) Support OAuth2 and CORS/JSONP to access API from another domain: This could be done using a combination of OAuth2 (using the ‘implicit’ flow which after authentication, issues the javascript a short lived access token – usually 1-2 hours) and then CORS or JSONP support to allow the browser to make cross-domain calls to the API. Facebook supports this sort of interaction with its API. I guess JWT.io approach would be pretty similar??
2) Support some other way to authenticate on the same domain: I think this is what Reed is after. In this case, you don’t need CORS or JSONP but you still need to be able to authenticate to get access to the API. Authentication could potentially be done using the a session cookie or the page could pass the javascript a short lived access token to use.
Both would rely on the API being restricted to the same permissions as the user on the web page. I’m not sure if restricting API access by permission is currently possible.
The first option would allow you to build pure javascript third party apps and would be very flexible. You’d still have to authenticate via OAuth2 (with isn’t always an ideal user experience).
The second option would actually be fantastic for extending NationBuilder but again would rely on the access to the API being appropriate for the currently logged in user.
In the meantime, I see some other options for getting data to custom client side javascript this without changes to NationBuilder:
1) Create a proxy server that handles the authentication on the server side and supports CORS or JSONP or serve your javascript off that. You will then make all further API calls through the proxy. See hello.js for their Oauth1 shim. It would be slow to route all requests via the proxy and requires you set up the proxy.
2) Find APIs already exposed by the web server in NB e.g. the API that returns data for the events map uses http://nationbuilder.com/users/event_pages/marker_info_content?event_ids%5B%5D=10141. I’m still new to NB, so haven’t come across many of these. It would be great if these were documented somewhere.
2) Extend the liquid templates to embed some JSON that can then be picked up by client javascript. You could possibly also create your own API in liquid with custom templates requested by AJAX (assuming the content types all work right). Haven’t tried either of these yet.
Please let me know if I’ve missed anything or have made a mistake!
Certified Developer
I’m not sure how CORS would apply here. I’d be happy if the referred domain allowed was only the nation itself.
The goal here is more to be able to use the API from javascript in nation pages itself, in order to build more complex pages than the “built in” templates.
Certified Architect
Certified Developer
Back on topic, so there are no plans to ever support something like JWT (http://jwt.io/)?
Certified Architect
Certified Developer
Certified Developer