I am using rest API to login in customer account usig the below URL and details:
URL: https://magento.host/index.php/rest/V1/integration/customer/token
Header: "Content-Type:application/json"
Data: "{"username":"customer1@example.com", "password":"customer1pw"}
and successful request returns a response body with the token:
asdf3hjklp5iuytre
As we are now logged in and all the call after login that we need to make using Rest API should use the below format:
URL: http://magento.ll/index.php/rest/V1/customers/me
Header: Authorization: Bearer asdf3hjklp5iuytre
Now My Question is:
How we will verify that token is valid for other subsequent API call ?
How can we get customer details using Token Provided in Header ?
Please explain the flow.
Updated:
When we try to access this below API url with valid Headers, It call getById
function of CustomerRepository
. But in getById
function there is one argument called $customerId
. I am not sure how it is coming but In cumstomer module webapi.xml
for this function, I found there is way to pass customerId
as param and It will not send from requester but Magento set it Internally.
http://magento.ll/index.php/rest/V1/customers/me
vendor/magento/module-customer/etc/webapi.xml
<route url="/V1/customers/me" method="GET">
<service class="Magento\Customer\Api\CustomerRepositoryInterface" method="getById"/>
<resources>
<resource ref="self"/>
</resources>
<data>
<parameter name="customerId" force="true">%customer_id%</parameter>
</data>
So I did the same thing, In my function and It is working fine. Here my doubt: Do we don't need to check if token is valid or not ? Is this all managed by Magento Internally ?
Best Answer
So, let's go step by step.
/rest/V1/customers/me
URL with a proper token in the header returns information about current user (the system detects the session by token and returns current user information)So, you can make any other request allowed for current user using the proper token (retrieved at step 2) in the same way as it is described at step 4. So, the main point here is to pass the proper token in the header for each call you make to the API.
The
/rest/V1/customers/me
API entry point has "self" ACL access. That means that the customer_id parameter will be retrieved by verifying your token and no additional checks are required. The resources with "self" access are only allowed for current customer and the system will pick up the correct customer based on your token. So, you are not able to setcustomer_id
of another customer while using the resources with "self" access.