How to create a token for other user
Login as that user and create a token from there.
Hi Anton,
For the very first time it is possible to temporary store the username and password for the newly created user and login on behalf through API, but how to login next time on behalf of this user? If I don't have a password for this user?
I see on the official traccar web that the admin can login to every other user's account, I tried to create a session with user id parameter, but not succeeded. api/session/74.
I was able with admin access to login to a user through a GET request to api/session/userId.
But I see a manager cannot login to managed users through API, and only administrators can do it.
Doesn't it make sense that manager should be also able to fetch the session information for a managee?
Currently it's only limited to admins.
If we change this permission, then in many cases it will add value, specially for public sharing.
It make sense if a manager added a user, then he should be able to login to it, becuase this manager has all other accesses also to this user, even can delete it.
In a scenario, like in a custom app, if someone want to implement a public sharing, then will change all users to manager role, so that managers can be able to share a public view to thier trackers with other peoples [instead of admin's interference]. As for public view a token is good idea, then the manager will be easily able to login through a
GETrequest toapi/session/userIdand create a token for its managed user.
If you are also agree then I can send a PR for this.
Sure, feel free to send a pull request. Make sure to implement it on both sides the backend and the web app.
In case anyone else reaching here, this functionality is now implemented and is most likely to be availabe in v5.7.
Hi, how could I set the token for other user?
Login as that user and create a token.
Hi Anton,
I'm not familiar with java, but I saw a little of the server code at SessionResource.java and change the token method like this. This can set the token to other user with safe?
@Path("token")
@POST
public String requestToken(
@QueryParam("userId") long userId,
@FormParam("expiration") Date expiration) throws StorageException, GeneralSecurityException, IOException {
if (userId != 0) {
return tokenManager.generateToken(userId, expiration);
} else {
return tokenManager.generateToken(getUserId(), expiration);
}
}Your code is definitely not safe. It will allow any user generate a token for any other user. Why not just do what I recommended?
If I do it the way you recommended, it doesn't turn out very well.
My app has a customer registration screen where I already need to define the token. I no longer have the customer password after the registration screen. It is encrypted.
I did a little change in the code to check if admin, now I think is safe.
@Path("token")
@POST
public String requestToken(
@QueryParam("userId") long userId,
@FormParam("expiration") Date expiration) throws StorageException, GeneralSecurityException, IOException {
if (userId != 0) {
User currentUser = getUserId() > 0 ? permissionsService.getUser(getUserId()) : null;
if (currentUser != null && currentUser.getAdministrator()) {
return tokenManager.generateToken(userId, expiration);
} else {
return "";
}
} else {
return tokenManager.generateToken(getUserId(), expiration);
}
}You don't need to have a customer password obviously. As an admin you can login as any user.
Its not clear to me in API Reference. Sorry.
I want to simulate the public sharing through custom application. If I want to share a device to a public URL then the best approach, as I searched, is to create a read only user, assign the device and share it through token.
As admin user, I can create a readonly user through and assign the device to it through API, but I didn't find how to create a token on behalf of this newly created user?
Can admin create a token for a user through API?