API Access Out of App Context - Success?

Report · Feb 14, 2018

Hey Guys!

I was playing a bit with BC SDK and REST API and quite quickly I realise that action like POST, DELETE are only available in context of APP.

So I start wondering: How I could give admin access to API POST action when still staying on main website? (not admin area)

Good example of using this idea is to create In Context editor where user can simply edit page elements that they currently see.

So I found this simple solusion, and I'm wondering is there anything wrong about it or Do I miss anything important?

Create App
Create Normal Page (that would have Javascript to get input from user and pass it to iframe)
Add Iframe to it
Set iframe source to App like: https://[app key here]-[site_ID here]-apps.worldsecuresystems.com/_System/Apps/[app key here]/index.html
Pass to iframe trough Name attribute or URL hash data
on index.html of App get data and using SDK or API pass it to system.

Any advices why not to do it or what is better solution? I might simply just miss something trivial.

Report · Feb 14, 2018

To help you I will just throw you:

- What do browsers do with iframes cross domain and data?
- Why does BC iframe and sanbox and have the setup with apps themselves currently?

Report · Feb 14, 2018

Cross domain issue is not a problem. I did some test and use JS postMessage() method that allows to send data to iframe. (that is instead of Name attribute that I mention in original post.)
Not sure what do You mean in your second question. If you're talking about security then it doesn't matter as my idea is to first login to BC admin panel and then move to front end. I guess BC is made the way as it is to prevent users to overwriting their Admin Panel...

Report · Feb 26, 2018

Every time i read a post like this on BC i think of this:

Report · Feb 26, 2018

Hahaha, that comics is hilarious!

I made some future development, and it looks like my concept works! So definitely it is possible what I described in original post.

The only issue I found is to catch any errors related to loading unauthorised iframe (401) and maybe a dynamic setup of parent page domain that need to be passed to child iframe.

Report · Feb 26, 2018

I would not build off anything you find though. If that is the case then there is a security issue BC will and would want to look to at and stop that from happening.

If they deem it a serious one they do action the changes pretty quickly and more often then not, since it is a security issue just fix it without notifying anyone (as they do not need too) so a solution may just stop working.

Report · Feb 26, 2018

I would also check it in all browsers.

Report · Feb 26, 2018

I'm not sure do you understand how I achieved my results. I'm quite confident it is secure, but please correct me if I'm wrong.

I use BC backend authentication. All informations exchanged between iframe and page using postMessage() have cross origin check.

Window.postMessage() - Web APIs | MDN https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

I have seen BC Apps doing the same job, and I assume it need to be done similar way.

Report · Feb 26, 2018

It is exactly the passing with the iframes which is what BC will not want and the cross origin.

Open platform first version you could read and edit the parent (admin) and BC rebuilt it to sandbox it. It has a very specific URL structure and is supposed to be sanboxed. While in admin, run in admin and not supposed to be accessed any where else, the authentication just in that case.

Anything outside the intended by BC can lead to hijacking.
Continue as you want but I would be wary sharing your findings and just note that BC could change this at any time and it all stop working. I just do not want you to invest time that will get undone. I discover and know things about BC before most people and BC has specifically changed BC as a result of things I have done/discovered and I have had more then one project/app stopped because BC changed or tightened things up, So I know from experience.
I am also under a full Adobe NDA so I can only advise and warn you with the above.

Report · Feb 27, 2018

I second what Liam says, I've also been a partner a very very long time and there's been a ton of stuff that Adobe patched.

"In Context editor where user can simply edit page elements that they currently see"

This can already be done using WebApps as building blocks, but it will be slow and complex.

Report · Feb 27, 2018

Hey bcalpha, can you please elaborate:

This can already be done using WebApps as building blocks, but it will be slow and complex.

I know there is simple inContext editing already in BC but it doesn't work well with any Liquid...

Does your idea include WebApps Edit template and user secure zones?

Report · Feb 27, 2018

You should also know that having website editing on the front end outside of the default BC admin/editing solutions will add to the site bandwidth.

This can exponentially increase the bandwidth of a BC site and take its usage too far. From experience this can mount so plus normal site traffic you can come close AND over even with the high bandwidth BC has by default.

Report · Feb 28, 2018

It only works in the back-end, not on Secure Zones and I really wouldn't recommend it.

Report · Feb 28, 2018

Thanks Guys for all advices, well appreciate.

We should discus this over drinks in Surry Hills

Liam,

I'm now worry about bandwidth as in my case there wouldn't be much updates, maybe twice a week. But it's worth to consider this issue for website with a lot of content like Blog or news website.

bcalpha,

I was trying to figure out, a while a go, how to use "Edit Templates" for Webapps. But I give up in some point, not sure what was the reason. There was some missing part with permissions or something.

I got almost whole "Better Editor App" ready... just few bits left with file upload status. I will let you know how things works in real life.

Cheers

Report · Feb 28, 2018

I have seen a few complex things from partners and ones that are not. Even the small ones really do start eating into the bandwidth, especially with content.. If you think someone is editing, re-editing, checking, making changes again.... That is what the admin is for

Report · Feb 28, 2018

Yeah, but I personally think, that BC Admin UX is tragic... So I'm trying to make a use of great Back-End potential of BC with smooth Front End UX...

Around 300MB/mo of bandwidth is still far away from 1000GB/mo that is for free... at least in my case...

Report · Feb 28, 2018

Using enterprise solutions and others.

Some may look nice but a nightmare to actually use (looking at you sqaurespace) and enterprise ones have horrible ones.

In the scheme of things, especially for client pickup and content editing. If you build the site right (which I find a lot of BC developers do not do) it is one of the better ones.

You said:

Around 300MB/mo of bandwidth is still far away from 1000GB/mo that is for free... at least in my case...

Is the site live?
Have you built the tool and using it much?

Watching one right now with something front end content not written by us and its exponential.
Our biggest sites (and we got some big ones) not even close to even 100mb before going live as a reference.

Adobe Community

API Access Out of App Context - Success?