No access token is provided about forge-rcdb.nodejs HOT 13 CLOSED

This is curious - did you clear you cache?

from forge-rcdb.nodejs.

If I have the model urn of another user, can I view his models? isn't it a security issue?

The Cache is disabled

from forge-rcdb.nodejs.

Since you are on forge-rcdb live, I believe you did not login using your account/credentials, and you get this error. But this error has nothing to do with the model you are currently viewing. This model is public, and does not require login, hence you can see it.

from forge-rcdb.nodejs.

If I log in the first error dissapear but the second is related to the viewer

from forge-rcdb.nodejs.

can you copy me the url you are using when you see this error?

from forge-rcdb.nodejs.

https://forge-rcdb.autodesk.io/database?id=583ec7efebfb320e3cef26a5

from forge-rcdb.nodejs.

ok, this is what I said above this model is public, so there is no need of a token. Actually the code obfuscate the real token itself being a proxy. On your debugger console, enter the following line of code:
NOP_VIEWER.model.myData.basePath

note the syntax of the URL -> lmv-proxy-2legged

When doing this, the token will be added by the RCDB server to any HTTP request coming from the Viewer - this is a security measure to prevent someone from using the real token to access any information other than the one we allow.

from forge-rcdb.nodejs.

Sorry if this is out of the issue. but how do you make a model private?

from forge-rcdb.nodejs.

Few precisions to add to what Cyrille mentioned above. The 404 /api/forge/user error is just expected if you are not logged in. In that case there is no user so the backend returns a 404, some demos require access to your A360 models to work so you will get prompted to log in, the models on the home page are not linked to a specific account, so you can view them without login.

The second error is displayed by the viewer and is due to some error message that doesn't take in consideration that a proxy can be used and hence the viewer is not seeing a token. It is a bit ironical that such message gets displayed as using a proxy should be the recommended approach as it is considered more secure and flexible than providing endpoint with token. Securing your Forge Viewer token behind a proxy.

You can just go ahead and do not worry about those errors.

from forge-rcdb.nodejs.

To make a model private you make the page that displays it private.

from forge-rcdb.nodejs.

Yes, but if you make the page private but someone knows the urn of your model, he will be able to access your model through his viewer, isn't it?

from forge-rcdb.nodejs.

Yes as long as he has access to a valid access token with viewable scope, which can be exposed by an endpoint of your app. To prevent that you can use a proxy as mentioned above and enforce that kind of permission at the proxy level, typically you can add any extra custom logic in the proxy that could check if currently logged user is allowed to view the model pointed by requested URN.

from forge-rcdb.nodejs.

Thank you for the explanations, i hadn't notice about the proxy, now it makes sense

from forge-rcdb.nodejs.