Streaming live at 10am (PST)

Javascript - Get currently authenticated user's data

We have a site that is being converted from wordpress to webflow. In addition to wordpress, the site also relies on a PHP back-end that I coded for the AJAX content on certain pages. Of course PHP will not run on webflow so I was planning to move my API to a subdomain such as That way, Javascript running in webflow pages can still get data from my API. The following text taken from our Slack explains the rest:

It’s not about wordpress. Our API (Which I coded) is in PHP. It is responsible for supplying data to the user interface. This works by some code on the wordpress page making an HTTP request to my API. Since the user is logged into WP and since my API is able to include a special WP file that allows it to interact with the WP install (Possible since both my API and WP are on the same server), my API can check to see if the user is logged into WP and if they have paid.

In the case of webflow, I would have to put my API on a different subdomain since the main site and API will no longer be hosted on the same server. That way, pages can still make HTTP requests to the API. Easy enough but now that they are no longer on the same server, there is no file (Like the WP file) to include in my code that will enable getting a user’s logged in and payment status.

Usually, the way to accommodate this would be having my API connect back to webflow’s API upon each request to verify user status. They do have an API but upon further inspection, I don’t see any API methods for getting the currently logged in user’s authentication status or membership: API seems very limited and is therefor giving me cause for some concern.

In summary, I know I can include javascript in webflow pages and make calls to the webflow API from my PHP (Hosted elsewhere) but how can I send what’s needed to query information from the webflow API about the currently logged in user specifically, from the javascript on a webflow page?

If Webflow provides any token-based API in which you can call the API method, pass the token and based on the token verification, it will return the current logged in person’s details.

You can use AJAX to send a network request to a web flow server with proper header and it will check for the auth token and if it verifies then you will be able to get the response from the server.

That way, you can get the current authenticated user’s data.

I hope this helps.

Managing user authentication and authorization is a very serious responsibility, and getting it wrong can cost a lot more than unauthorized access to your app. It can also compromise user privacy or lead to financial damage or identity theft for your users. Unless you are a huge company with a huge security team, you don’t want that kind of responsibility or liability for your app.

Most apps today are built with username and password authentication, and once a user is signed in, that user session can do anything it wants to do, without revalidating the user’s intention.

That security model is broken for a number of reasons:

Password-only security models are obsolete. If you have any doubt about that, head over to HaveIBeenPwned and plunk in your email address. Sensitive data has been stolen in many high profile data breaches impacting companies like Dropbox, Adobe, Disqus, Kickstarter, LinkedIn, Tumblr, and many, many more. If there’s a database with passwords in it, it’s only a matter of time before it gets stolen.

Hashing passwords won’t save you or your users. Once a database of passwords has been stolen, hackers aim huge distributed computing power at those password databases, utilizing parallel GPUs or giant botnets with hundreds of thousands of nodes to try hundreds of billions of password combinations per second in hopes of recovering plaintext username/password pairs.

If an attacker can discover a password that hashes to the same hash as the one stored in your database, they’ll take that combination and try it on things like bank account websites. In many cases, even a salted, hashed password database will give up another valid username/password pair every minute or so. That’s about half a million leaked passwords per year — and that rate is doubling every few years. I wrote about this topic in 2013. The bad guys are now hashing passwords more than 10 times faster than they were then.
User Sessions Get Hijacked User sessions are commonly hijacked after authentication, allowing attackers to exploit that user’s application resources. In order to prevent that, you’d need to re-authenticate the user with every request, and in the land of usernames and passwords, that would create an awkward user experience.