When your app loads the user will already be authenticated with DroneDeploy. Therefore you already have access to the users data just by using the API's above. However, many app creators are working with shared users that have an account on their service. Therefore, the authentication question is, "How do users sign into my service from within DroneDeploy?". The answer is however you want! Your DroneDeploy app is just an iframe so authentication flows are very similar to how you would authenticate in a standalone webpage.
Below are some common examples...
Username / Password
- Ask the user for their credentials.
- Send a request to your server with those credentials.
- If successful, store the token in localstorage
- On every subsequent visit first see if a valid token is in localstorage
You'll need a server handle the OAuth secret, store the OAuth token, and to handle OAuth callbacks. In the below example we are assuming "your-oauth-server.com" is your authentication server and "your-dronedeploy-app-server.com" is a proxy server in charge of your DroneDeploy app. However, if you prefer you can instead put this dronedeploy functionality as a subroute on your main server, "your-oauth-server.com/dronedeploy-app".
- Use the Link.open API to open your authentication request in a new window
- When the authentication flow completes on the server for "https://your-dronedeploy-app-server.com/callback?token=SERVICE_TOKEN" the token should be saved in the database and corresponding JWT token should be sent back to the client via postMessage
- window.opener.postMessage('MY_Service_Authentication Successful', '*') Full Example
- Once the frontend has the JWT token it should store it localstorage and proxy all of its network requests through "your-dronedeploy-app-server.com".
- E.X. frontend /get-user --> your-dronedeploy-app-server.com/get-user --> https://www.your-api.com/get-user
Have the user provide an client-side API key and store it in localstorage
- Don't trust the "user.email" field for authentication. Since the whole API lives on the frontend anyone could pass false emails to your application.
- Don't navigate or reload your dronedeploy iframe. If you do you won't be able to use the DroneDeploy embedded api.