Updated 5 years ago by Anonymous

Users & Authentication

Looking for some tips on managing users or authentication? Check in here for more information.

Users are accounts used to manage access to Expression, both to the XPR Backend and your frontend application. Each User has an associated Person record which holds details such as First and Last name, and acts as a binding point for Address objects.

A user must be Active to enable authentication. This property can be set from the global listing, or programatically by the Users API.

User Groups

Equally important for managing access as the user account itself are the User Group records. Each user has a Primary User Group and a collection of Auxiliary User Groups.

Site Developer Access controls access to developer features, specifically, it allows routing to the XprTrace and XprCacheControl end points. In general, it can be thought of as defining a specific group as a Super User.

Has Backend Access defines whether or not the group is allowed to authenticate to the XPR Backend.

Domains define a collection of domains the account is allowed to authenticate against. This is useful if you have multiple domains on the same installation and need to constrain access.

Authenticating

Frontend Authentication

Authentication is managed through the /auth/ API endpoint. A typical frontend login will consist of a form triggering a postHandler script.

function process(loginData) {

    var api = new XprApi();
    var authResponse = null;
    try {

        authResponse = api.call({
            uri: "/auth/login",
            method: "POST",
            data: {
                UserLogin: loginData.UserLogin,
                UserPassword: loginData.UserPassword
            }
        });   
    }
    catch ( error ) {
        //handle authentication failure
    }
}

Admin Authentication

Admin Authentication (requiring the Has Backend Access flag) is managed via the /admin/login route. This is the same API route hit by the Expression Login page.

This can be useful for you as a developer because it enables the rest of the the api/* routes via HTTP, enabling you to run scripts against the API, e.g. a data-migration or content import script.

De-Authentication.

Frontend and admin users can be deauthenticated with /auth/logout/ and /auth/admin/logout/ respectively.