Getting the logged user with the Backend SDK

[vimtor]

I wonder if there is any way to get the current logged user from the cookies.

This could prove really useful when building custom storefronts (such as marketplaces) and you want to performed admin level actions.
Maybe this can already be done and I was not able to find it.

A way to get the logged user or a way to create a new client with an specific user would be really cool. For example Supabase has something similar: https://supabase.com/docs/guides/auth/auth-helpers/nextjs. But in the case of Swell it could be simpler, just a getUserFromCookie in the Backend API could do the trick.

[ericingram]

The session cookie is a frontend API concept, but there is actually a REST API endpoint to retrieve the session object that you could call from the server-side.

GET https://<STORE_ID>.swell.store/api/session

Along with these HTTP headers (javascript):

{
    Authorization: `Basic ${base64Encode(<PUBLIC_KEY>)}`,
    'X-Session': '<SESSION_COOKIE>'
}

That will return a decoded session object that looks something like this:

{
  "public_key": "pk_cn6XsV3m28OjPuN68JdqYbbWJSUGbCqG",
  "account_id": "5e87af109ead3b62f716d1ce",
  "cart_id": "5c15505200c7d14d851e510f"
}

There's a background discussion on how to improve and thereafter document the frontend API endpoints, but we're unlikely to get it done this year.

[vimtor]

Thank you @ericingram!

Maybe I did not explain myself correctly, but with the information you provided, I got this working in Next.js 13

import { NextResponse } from "next/server";
import { cookies } from "next/headers";
import { swell } from "@/lib/swell/server";

function base64Encode(str?: string) {
  return str ? Buffer.from(str).toString("base64") : "";
}

async function getLoggedUser() {
  const sessionId = cookies().get("swell-session")?.value;

  if (!sessionId) {
    return null;
  }

  const response = await fetch(`https://${process.env.NEXT_PUBLIC_SWELL_STORE_ID}.swell.store/api/session`, {
    method: "GET",
    headers: {
      Accept: "application/json",
      "Content-Type": "application/json",
      Authorization: `Basic ${base64Encode(process.env.NEXT_PUBLIC_SWELL_PUBLIC_KEY)}`,
      "X-Session": sessionId,
    },
  });

  const { account_id } = await response.json();
  return swell.get("/accounts/" + account_id);
}

export async function GET() {
  const user = await getLoggedUser();
  return NextResponse.json({ user });
}

[ericingram]

Amazing 🙌

[vettloffah]

thanks @vimtor this is helpful for securing backend routes

[vettloffah]

I used this method to secure our /profile route on our SvelteKit site.

1. Create a server hook at /src/hooks.server.ts. If the route doesn't include /profile it just forwards the event:

import { PUBLIC_SWELL_PUBLIC_KEY, PUBLIC_SWELL_STORE_ID } from '$env/static/public'
import type { Handle } from '@sveltejs/kit'
import swell from '$lib/swell/backend'
import type { Account } from '$lib/types'

function base64Encode(str?: string) {
	return str ? Buffer.from(str).toString('base64') : ''
}

async function getSwellAccountFromSession(sessionId: string) {
	const response = await fetch(`https://${PUBLIC_SWELL_STORE_ID}.swell.store/api/session`, {
		method: 'GET',
		headers: {
			Accept: 'application/json',
			'Content-Type': 'application/json',
			Authorization: `Basic ${base64Encode(PUBLIC_SWELL_PUBLIC_KEY)}`,
			'X-Session': sessionId as string
		}
	})

	const { account_id } = await response.json()
	return (await swell.get(`/accounts/${account_id}`)) as Account | null
}

/**
 * Confirm session with swell for secure routes
 */
export const handle: Handle = async ({ event, resolve }) => {
	const sessionId = event.cookies.get('swell-session')

	if (!sessionId) {
		return await resolve(event)
	}

	if (event.url.pathname.includes('/profile/')) {
		const account = await getSwellAccountFromSession(sessionId)
		event.locals = {
			...event.locals,
			is_admin: account?.group?.includes('admin'),  // we have a custom account group "admin" in our store
			logged_in_user: account?.id
		}
	}

	return await resolve(event)
}

2. Then in the protected route, we can check for the logged_in_user value.

src/routes/profile/+page.server.ts

import type { PageServerLoad } from './$types'
import { redirect } from '@sveltejs/kit'

export const load = (async ({ locals }) => {
	const { logged_in_user } = locals

	if (!logged_in_user) {
		throw redirect(307, '/profile/login')
	}

     return { logged_in_user }
}) satisfies PageServerLoad

SvelteKit docs: https://kit.svelte.dev/docs/hooks#server-hooks