API Backdoor

Maintained on

When using the API in kintone, the access permissions for each app depend on the access permissions for that account.

For example, suppose there is an inventory master app and an inventory list app, and employee A is set to only access the inventory list app.

In this case, the same access permissions apply to JavaScript executed with A’s account, so even if JavaScript that tries to access the inventory master app is executed, it will result in an error.

Therefore, under the current specifications, even if you only want to access it from JavaScript, you need to grant access permissions to that account.

However, there may be cases where you don’t want to display the app to each account but only want to use the API (users cannot view it, but it is accessed internally).

This time, we will introduce this workaround.

チェック

Since this operation deviates from the originally intended specifications, it may suddenly become unusable due to updates. Please use it with caution.

Conclusion

To get straight to the point, it is possible to achieve this by using the kintone.proxy method of the kintone JavaScript API to access the REST API of the same domain.

According to the official cybozu developer network,

Note: API tokens are tokens for executing REST APIs, so they cannot be used within the JavaScript API. Please be aware of this.

Let’s try using API tokens

However, it works if you use the proxy API provided by kintone.

About kintone REST API Authentication Methods

There are two methods for authenticating the kintone REST API: using an ID and password, or using an API token.

Regardless of the example this time, if you want to reduce security risks, you should use API token authentication when using the REST API.

About API Tokens

Until June 2014, the only way to authenticate with the REST API was to use a user ID and password. Now, instead, you can use API tokens issued for each app to use the API.

By using API tokens, more targeted usage is possible.

As stated officially, using API tokens has the following benefits. All of them can be said to reduce security risks by narrowing down the functionality.

  • No need for user ID and password
  • Can execute REST API only for limited apps
  • Can restrict the types of REST APIs that can be executed

With ID and password authentication, account information is inevitably dispersed, so both maintainability and security are not very good. Even if you want to use all permissions, it is generally preferable to use API token authentication.

How to Access Apps Without Permissions

Now, let’s get to the main topic: how to implement the case where you don’t want to display the app to each account but only want to use the API.

/**
 * Use kintone.proxy to access apps without permissions
 * @param {{ uri: string; method: "GET" | "POST" | "PUT"; param: any; apiToken: string }} props Each parameter
 * @return { Promise<any> } Execution result of the REST API
 */
const useBackdoor = (props) => {
  const { uri, method, param, apiToken } = props;

  const header = { 'X-Cybozu-API-Token': apiToken };
  let uri = kintone.api.url('/k/v1/record', true);
  let body = '';
  if (typeof param === 'string') {
    uri += encodeURI(param);
  } else {
    header['Content-Type'] = 'application/json';
    body = param;
  }

  return kintone.proxy(uri, method, header, body);
};

In this code, we add a function to the global variable kintone, but you can also define and use the function only within an immediately-invoked function expression (IIFE) like a normal JavaScript API.

The process is like going out of kintone once and then accessing another kintone.

#kintone #JavaScript
Next Page
What is the Best Way to Implement Constant Definitions in kintone?