Angular Login using password field

darky · March 23, 2024, 6:47pm

I have a self-hosted environment with Rowbase and I have a user table with a password type field.
My idea is to create a login using the data from that table.

http://XX.XX.XX.XX:YYYY/api/database/rows/table/531/?user_field_names=true&filter__Correo_Electronico__equal=jevc@gmail.com&filter__Contrasenia__equal=123456789

When invoking the api and passing the username and password from the front, the api answers the following:

{
    "error": "ERROR_VIEW_FILTER_TYPE_UNSUPPORTED_FIELD",
    "detail": "The filter equal is not compatible with field type password."
}

I have looked for information on how to use the password type field but I have not found anything about it.

How can I use the filter using the password type field?

Thank you so much!

frederikdc · March 25, 2024, 10:31am

Hi,

The password field is only intended to be used with the Application Builder at the moment. It is not like a regular text field that can be used for filtering.

However, you can use the API endpoint user_source_token_auth: Baserow API spec. This allows you to pass a username and password and returns a token. If a token is returned, you know that the combination of the username and password is correct.

darky · March 25, 2024, 4:52pm

Thank you for the support and your prompt response. I check the option to generate and use the access token

valexico · July 21, 2024, 6:57pm

Hi @frederikdc

What the returned token can be used for ?

Full base access ? Or only data sources of the respective baserow application ?

bram · July 22, 2024, 3:25pm

Hi @valexico, the refresh and access token returned by the email+password authentication endpoint gives access to everything in your account. It’s the same one that our web-frontend uses after you log in. It should not be exposed publicly.

valexico · July 22, 2024, 6:55pm

Mmm this mean than if you build a baserow app, all users get access to your complete baserow account ? It does not sound very secure.

Is it a temporary situation ?

It also means that filtering data source in application builder is not a security measure ? I was actualy wondering ?

frederikdc · July 26, 2024, 5:53am

Not necessarily, it offers access to the tables where the authenticated user has access to. If you create an account that only has read access to a limited number of tables, you can only access those tables with the token.

There is a good article on our blog that explains the difference between the JWT tokens and database tokens

If you create a data source with a filter in the application builder, it will only return the number of records that match with the filter.