How to validate auth popup hash data?

It sends secret, context and locale.

Is there something like https://developers.trello.com/page/webhooks#section-webhook-signatures to validate context?

{
  "secret": "aasdasdsadasdasdsad",
  "context": {
    "version": "build-4358",
    "member": "123",
    "permissions": {
      "board": "write",
      "organization": "write"
    },
    "organization": "345",
    "board": "456",
    "command": "show-authorization",
    "el": "789"
  },
  "locale": "en-US"
}

I think that we will do the validation for you. We use that data to validate that the t object you have is the correct one.

I don’t believe that there is a way for you to validate it yourself aside from trying to use the t object and catching any errors that occur if the context has been messed with.

@bcook maybe I have an XY problem here, let me explain.

I’m working on a service that would have user accounts on my side but I don’t want to bother user with registration.

So is there a way that with this data I can validate user passed data? So I just take member id from context and authenticate it on my server?

@bcook bump bump bump bump :slight_smile:

It sounds like what you’re looking for is some sort of shared secret between your Power-Up and your server so that you can validate that calls coming from your Power-Up are valid, yeah?

If so, you don’t want to use the member ID as the form of authentication since they are not secret. Instead, we generally recommend using some sort of shared secret stored via t.storeSecret() that you can include in requests to your service (which also knows the secret) and then authenticate based on that secret. Some Power-Ups achieve this by using the Trello user’s token as the shared secret.

yup :slight_smile:

I’ve thought about storeSecret but I have to authenticate the very first call, right?
Technically I can randomly generate it once to anyone but if it’s lost the user wouldn’t be able to regenerate it and his data will be lost.

Can I generate a token and use it on the backend to send t.storeSecret from my server somehow?

We’ve seen a number of Power-Ups that ask the user to authenticate via trello.com/1/authorize (https://developers.trello.com/authorize) and then store the token via t.storeSecret(). Then, they pass that token along with every request from the Power-Up to their backend service. They can verify via Trello’s API that the token is valid and that it belongs to the user it is expected to belong to. This can be done by making a call to 1/members/me.