Post Preview With Short-Lived Token For Auth

Hey there!

I’ve just found Squidex while looking for a headless CMS to power my website, and I’m really liking it so far! One important thing to me is to be able to preview how posts will look on my website, and I’m glad to see that this has been integrated already.

I did have an idea for making authentication easier to implement for this specific case. I could be mis-understanding something, so let me know if this is irrelevant!

As far as I understand, in order for the website to view the unpublished content, it still must authenticate, which means my user must login to my website frontend before the preview URL could work.

That isn’t that big of a deal for me to implement, but since my website has absolutely no need to have users log in, other than for previewing, it would be nice if there was a way to include a preview token that could be used to access unpublished data without requiring a login.

This would help simplify my frontend because I wouldn’t need to implement an OIDC workflow, and I wouldn’t need to ask my user to login to my website, when they’ve already logged into Squidex.

This preview token could be short lived, or one-time use maybe, and it could be generated every time the user opens the edit page. When my website frontend needs to render a preview page, then, it can use the preview token that could be delivered in the query string, to make the API request and get the data without needing any other authentication workflow.

Thanks for your nice words.

The idea is good in general, but the problem are the permissions. The token needs read only permission to basically everything, because you don’t know what content you actually fetch in a previewed URL.

But you can also create anonymous clients, where you can control the permissions in a very granular way. Then you do not need OIDC at all.

Maybe the token could be associated to the post that is being previewed. Like a JWT with the post ID in it.

That would work as long as there was never any sensitive information in a draft, but that feels a little fragile to me.

For instance, if there was like a product announcement draft that wasn’t supposed to come out until a certain time an anonymous user might be able to figured out how to view the post preview and get info about the product earlier than they should be able to.

And what happens when you show other content besides the post on your website that is also in preview mode?

That’s a good question. I hadn’t thought about that.

In my use case I am needing to preview a single blog post to see what it will look like, but I hadn’t thought about previewing all of the un-published content at the same time, or cases where there are multiple pieces of unpublished content that you need to view together.

Maybe we could associate the token with the user who is logged in and clicking the preview link, then.

The token would have read access to anything the user is allowed to access.

Then we can just provide an option to inject the access_token :wink:

1 Like

Would this help you? But could be dangerous.

I’m not sure I’m going to end up using Squidex yet, so don’t add the feature just for me. :slight_smile:

I’d call it low priority unless somebody else needed this, because it’s still possible to accomplish as long as you have a login interface for your frontend.

Okay, sure.

If you have made the decision for another CMS I would really appreciate if you have time for a feedback call.

It’s looking like I’m going with Directus so far, but I’m not sure yet. If we go with that I’ll try to find time make a call, and in case I can’t find time for that I’ll definitely leave my feedback on a forum topic. :+1:

1 Like