Is it possible to login to daml hub, get my token and party, and then start using the ledger api against daml hub all on a frontend that isn’t hosted on hub? I’m trying to login, then after that create a ledger client using the token returned by hub.
Yes, unless:
- you are in a web browser
- you are using the HTTP JSON API as hosted on a Daml Hub URL (https://LEDGER_ID.daml.app)
- you are trying to access URLs on that domain from another domain
For the protection of users, every modern web browser implements CORS (Cross-Origin Resource Sharing (CORS) - HTTP | MDN), which specifically blocks access from inside the browser itself when it thinks you are attempting to do things that might pose a security risk to the user.
We do not currently offer ways of customizing HTTP headers to inform browsers that arbitrary domains are allowed to connect a specific Daml Hub-hosted HTTP JSON API instance, but if you are already hosting a frontend on a different domain, you may additionally be able to configure that different domain to also proxy the HTTP JSON API through. This will obscure what is really going on to your browser, which will think that all traffic is coming from a single domain, and therefore make it perfectly content to use the HTTP JSON API as normal.
Again, these caveats only apply to HTTP JSON API when used in a web browser, due to restrictions implemented by web browsers. Services making calls to HTTP JSON API or gRPC Ledger API typically do not inspect CORS headers nor do they try to implement those policies.
thanks! that makes sense. What is the API for doing a login? Looking at the docs, I only see 2 GET requests that redirect and then the service account login api, but not a user login API (guessing it would be a POST request)
Ah right of course—login is a problem as well. Login providers (Daml Hub included) don’t allow for arbitrary redirects after the login flow completes because that would be a huge attack vector!
What might work is a little bit of a “shim” HTML page hosted on Daml Hub that, after the login flow completes, intentionally sends the user to a different domain with the token acquired after login.
1 Like
ah so can’t login through the API from a server?
No, most login screens these days require proof of some kind of actual human user interaction so logging in directly with a provided username/password via an API isn’t typically allowed any more. (If it were, you’d effectively be in a position to capture usernames/passwords on a login screen of your own choosing to any service provider you want!)