When setting up a modal form to get some metadata from my app server, I can only register a url in the app to call an app server to process the request.
I can’t pass in any headers/custom fields to say pass a API/token key of some kind for the server to ensure the request is valid from my app.
How can this be achieved?
Is there some other type of auth methods you can suggest?
Hi @Zubair_Hasan, based on my understanding of your concern it looks like the primary concern here is validating that the request sent to your app server is coming from Asana.
If that is the case, you can validate that the request your app server is receiving is coming from Asana by checking the x-asana-request-signature
from the request header that Asana sends to your app server. More details about that here: Building app components
In short, this is what happens:
- A user opens up a task and clicks on your app component
- Asana makes a request to your app server’s Get form metadata with the
x-asana-request-signature
in the request header - Your app server should extract the
x-asana-request-signature
and then generate a computed signature using your app’sclient_secret
and the query params that asana sends to your app server (i.e., " the query string of the request with escaped characters, omitting the leading?
of the query string") - Compare the
x-asana-request-signature
to your computed signature. If they match then it means the request is coming from Asana otherwise it’s probably coming from a bad actor
NOTE: the way you compute your computed signature varies on if the request is a POST or GET read more about how you should compute this under (Generating the signature)
Also, take a look at our sample app to see how we’ve done it: app-components-example-app/index.js at main · Asana/app-components-example-app · GitHub
Hi John,
Thank you for the response, I’ll give this a go!
Best
Zubair