Securely identifying the Retool user

💬 Queries and Resources
1

Goal:
Securely identifying the Retool user

Details:
I have a resource and my desire is to have all requests share the details of the user making the request to allow us to handle authorisation. I have not been able to find a way to securely do this though. Any reference to the current_user, such as placing it in the headers, could be manipulated.

Is this something that is possible? Issuing cookies or similar does not seem to be an option unless we go down the self hosted route.

3

Hey @Jack_Coates! Welcome back to the community and thanks for reaching out. :slightly_smiling_face:

While it's true that opting for a self-hosted deployment would definitely give you additional options, I don't think it's specifically necessary for your proposed use case. We already specifically validate any references made to the current_user object from within resource queries. It's not a long article, but you can see some additional context in our docs.

Let me know if you have any additional questions!