Need a way to act as user with session secret in server API

Use case

I'm using Appwrite to add backend features to a puzzle site (Logic Pad). Because the site requires complex validation logic on document creation, I am hiding the entirety of Appwrite behind an API server hosted on DigitalOcean. The frontend client only interacts with DigitalOcean, which stores session secret (generated by Appwrite) in a secure cookie to authenticate the user (similar to how Appwrite SDK works).

Problem

Currently, the only way for the server to validate the session secret is to call the client account.get API with the session secret. This means I have to expose Appwrite's Account service to public, which I do not want to do. In addition, if I want the server to act on behalf of the user using the client API such that permissions and rate limits are respected, I have to expose all relevant Appwrite services to the public, which defeats the purpose of having complex database validation.

Proposed solution

I need a middle-ground between the client API and the server API, one that requires authentication with session secret and respects permissions and rate limits, but also requires an API key for access so that this set of API is not exposed to the public.

@Steven Had a discussion with Matej and he recommended your help :appwritemagician:

TL;DR

Developers need a secure way for the server to act as a user with session secret in the server API without exposing Appwrite services to the public. The proposed solution is to create a middle-ground API that requires authentication with session secret and API key for access, respecting permissions and rate limits.

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more

Recommended threads

Need support?

Join our Discord

Get premium support