Security
Since plugins are simply web pages embedded in a sandboxed iframe within Front, how you authenticate users of the plugin is entirely up to you (OAuth, email/password, token etc.). Session storage with cookies will work as you might expect with any web browser.
However, for added security you might also consider the following options.
Setting a Content Security Policy
Restricting the domains that are allowed to embed your plugin is a simple way to ensure that your plugin is not used outside your preferred contexts. Additionally, if you are trying to embed a web page that has an existing content security policy in place, you will need to update that page’s content security policy accordingly.
The HTTP Content-Security-Policy
frame-ancestors
directive should be updated as follows:
Content-Security-Policy: frame-ancestors https://*.frontapp.com https://*.frontapplication.com;
Token verification
To verify that your plugin is being requested by Front, you can check the auth_secret
query parameter when your plugin is rendered. The auth_secret
can be found in your plugin settings, and will be sent as a query parameter whenever Front renders your plugin. You can add it as a config var in your app, and then check against the auth_secret
query param.
To access the auth_secret
from a webserver:
auth_secret
from a webserver:// In your web server, before serving the plugin HTML, get the auth_secret from the plugin's URL and verify that it matches the one saved.
const frontPluginSecret = req.query.auth_secret;
// If the auth_secret does not match, the plugin does not come from Front.
if (frontPluginSecret !== process.env.FRONT_PLUGIN_SECRET)
return res.sendStatus(401);
// ...proceed with the request.
To access the auth_secret
from a static page:
auth_secret
from a static page:// Access the current url of the page, there are many ways to do that
// this shows one example using the `window` object.
var url = new URL(window.location.href);
// The query param will be attached to the url of the current page
// and you can access it via `auth_secret`
var authToken = url.searchParams.get('auth_secret');
Updated 3 months ago