I need to implement more admin functionality, and I have an RPC that should really only be able to run through the console. How do I check in the rpc code if the rpc is being run from console?
Or, similarly, how do I check that an rpc is called using the http_key authentication method?
I’m currently doing this, but not sure if this is legit.
userID := ctx.Value(runtime.RUNTIME_CTX_USER_ID).(string)
if userID != "00000000-0000-0000-0000-000000000000" {
return "", runtime.NewError("Unauthorized", 401)
}
The above has the limitation that I cannot use the userID as an argument. For example, a developer-only RPC that allows developers to award users various items and currency
Hello @wbronchart,
The console APIs are separate from the client-facing APIs and they do not support custom RPCs.
If you’re looking for a specific addition to the Console, please consider an OSS contribution or open a feature request in the Nakama repository and we’ll consider it.
Otherwise we usually recommend extending the console by using something like Retool and implementing custom Server-To-Server RPCs.
To check that an RPC is invoked via the http_key you should check that the userID is empty - this indicates that the request does not contain session data and that it’s S2S call.
userID := ctx.Value(runtime.RUNTIME_CTX_USER_ID).(string)
if ok && userId != "" {
logger.Error("rpc was called by a user")
return "", runtime.NewError("rpc is only callable via server to server", 7)
}
If you need to supply a userID it should be part of the body of the request. Since this would be called by an admin, there would not be a userID in the context either way, as that comes from requests with a valid session token.
Best.