Since plugins are simply web pages embedded in a sandboxed iframe within Front, how you authenticate users of the plugin is entirely up to you (OAuth, email/password, token etc.). Session storage with cookies will work as you might expect with any web browser.
However, for added security you might also consider the following options.
Restricting the domains that are allowed to embed your plugin is a simple way to ensure that your plugin is not used outside your preferred contexts. Additionally, if you are trying to embed a web page that has an existing content security policy in place, you will need to update that page’s content security policy accordingly.
frame-ancestors directive should be updated as follows:
Content-Security-Policy: frame-ancestors https://*.frontapp.com https://*.frontapplication.com;
To verify that your plugin is being requested by Front, you can check the
auth_secret query parameter when your plugin is rendered. The
auth_secret can be found in your plugin settings, and will be sent as a query parameter whenever Front renders your plugin. You can add it as a config var in your app, and then check against the
auth_secret query param.
// In your web server, before serving the plugin HTML, get the auth_secret from the plugin's URL and verify that it matches the one saved. const frontPluginSecret = req.query.auth_secret; // If the auth_secret does not match, the plugin does not come from Front. if (frontPluginSecret !== process.env.FRONT_PLUGIN_SECRET) return res.sendStatus(401); // ...proceed with the request.
Updated 5 months ago