RSS Feed

Plugin Developer Discussion

This is related to Ian's question about using plugin tokens and web tokens interchangeably (or as close to it as possible).

If I have a plugin that exposes some special functionality on an FB site then the user would have to log in in order to reach my page and I could then use the CPerson object to verify the credentials of the user. But if I try to use this as an API to integrate with an external app there is no way I can find to log in a user or verify credentials.

As an example, assume we have a task list add-in as in the sample plugin. Now, I want to have my build system add an item to that task list whenever the build fails. I can set up an API version of my task list easily enough so that external apps can integrate with my plugin. I can assign a user to the build system. But as far as I can tell there is no way for my build system to log in before accessing the plugin URL.

I could log someone in via the web API and then use the token with my API if I could verify a web API token. But even that wouldn't necessarily be enough since I would need the actual credentials of the user to verify that they were licensed or that they had permission for the particular action. Perhaps if we could retrieve a CPerson object using the web token that would be a solution.

This would seem to me to be a key plugin API need, adding functionality to the FB user interface is nice and I can see several uses for this but in the long run the bigger need is for integration with the multitude of external applications that comprise the project management universe (and not just software project management).

Thanks.

Hi Stephen,

I agree that this is very necessary, and it's part of a general class of problems that we're trying to deal with right now.

The solution we're thinking of for this is to allow passing in a token in the URL to any plugin page.  If a token is present, FogBugz will automatically validate it and log in as that user.  So hitting

http://myfogbugz/default.asp?pg=pgPlugin&ixPlugin=2&token=[token]

would work exactly the same as if a logged in user hit it without the token.

Would this solve your problem?

That appears to be a good solution. It would need to be combined with some method for logging the user in, such as the web API logon command.

I'm not sure I follow.  Couldn't you use the web XML API to log the user in and get a token for them?

The above has been implemented, with one change: adding the token to the URL only works for non-UI pages (PluginRawPage, PluginBinaryPage, and PluginStaticFile).  This is because the token only logs in for the one request, so clicking a link when logged in with a token wouldn't work.

This sounds good. The use with non-UI pages only makes sense. As to the token, I was under the impression that you couldn't use a web API token with the plugin API. If that has been changed then using the web API logon and then taking that token for use with my plugin should work perfectly.

Ah, yes, all these tokens are the same.  The only distinction we draw now is that tokens created by plugins (via the forthcoming API methods) are only valid while that plugin is enabled.