Rally Software

  • Private Community
 View Only

  • 1.  Rally SDK2 WSAPI - Javascript - Embedded application - Authorization for non-Rally users - ApiKey

    Posted Jun 15, 2020 05:29 PM
    Edited by gregory.garcia Jun 15, 2020 05:32 PM
    Hello,

    I built a very small Javascript application that updates a story field (Plan Estimate) using the SDK2 WSAPI.
    • it works well when executed locally from my computer, I just need to be logged-in Rally (cookie) or to key-in my credentials at execution time
    • it works well when embedded in Rally, thanks to a "Custom HTML" application, as I'm already logged in

    What I would like is to be able to run the embedded application (Custom HTML) even when not logged in Rally and without providing any credentials as clear text. For instance, if I provide the URL to another people that has no Rally account.

    I generated a full-access ApiKey from https://rally1.rallydev.com/login/accounts/index.html#/keys
    I don't understand how to use this key to reach my application, or even in my application code. Is it possible to achieve my goal thanks to the ApiKey?

    Here is my code snippet:
    <!DOCTYPE html>
<html>
<head>
	<!-- RALLY EMBEDDED -->
    <script type="text/javascript" src="/apps/2.1/sdk.js"></script>
	
	<!-- LOCAL DEV -->
	<!-- <script type="text/javascript" src="https://rally1.rallydev.com/apps/2.1/sdk-debug.js?debug=true"></script> -->
</head>
<body>	
	<!-- Rally application execution -->
	<script type="text/javascript">
		
        Rally.onReady(function() {
            // The Rally application
            Ext.define('Rally.test', {
                extend: 'Rally.app.App',

                // Method fired on application launch
                launch: function() {
					
					// Create a display panel
                    var displayPanel = Ext.create("Ext.Panel", {
                        itemId: "displayPanel",
                        height: 800,
                        autoScroll: true,
                        html: ['<div id="displayContainer"></div>'],
						listeners: {
							afterrender: function() {
								// Get user stories model
								Rally.data.ModelFactory.getModel({
									type: 'UserStory',
									context: {	workspace: '/workspace/12345',
												project: '/project/12345',
											},
									success: function(model) 
									{
										// Update (load, update and then save) a story thanks to the retrieved model
										var sInRally = model.load(('US12345'),{
											fetch: ['Notes', 'PlanEstimate', 'c_MAActuals'],
											callback: function(record, operation){
															
												// Update the value
												record.set('PlanEstimate', 3);
												
												// Save the story
												record.save({
													callback: function(record, operation) {
														if(!operation.wasSuccessful()) {
															console.log(' - Update failure!');
														}
													}
												});
											}
										});

									},
									failure: function(error){
										console.log(' - Update failure! (model)');
									}
								});		
							}
						}
                    });
                    this.add(displayPanel);
                }
            });

            Rally.launchApp('Rally.test', {
                name: 'test'
            });
        });	
	</script>
</body>
</html>

    Thanks for your help,
    Greg.


  • 2.  RE: Rally SDK2 WSAPI - Javascript - Embedded application - Authorization for non-Rally users - ApiKey

    Broadcom Employee
    Posted Jun 16, 2020 08:54 AM
    Hi Greg,

    the two mechanisms you mentioned that work use the ZSESSIONID cookie to provide the apiKey. In the scenario that you are running in a piece of html, the only way I know of to get the code to authenticate is to put the apikey on the url, e.g:

    <script type="text/javascript" src="https://rally1.rallydev.com//apps/2.1/sdk-debug.js?apiKey=_2Mm1lkNj15WBiKkmplWT2VOv5T5bpzLzIYJhk6ei2P</script>

    The only issue with this though is that the apiKey is readable by anyone able to run the html file. If it is a read-only key and it gets into the wild, then whoever has it can read all your date (at lerast the stuff that the apiKey enables). if it is a read/write key, then you're really in trouble.

    ------------------------------
    Nik
    Ask me a question, I'm All Ears!
    Rally Sales Engineer
    Rally Software
    ------------------------------

    Original Message


  • 3.  RE: Rally SDK2 WSAPI - Javascript - Embedded application - Authorization for non-Rally users - ApiKey

    Broadcom Employee
    Posted Jun 16, 2020 09:00 AM
    As a hack to try and hide the key, I made a different file that used the apiKey, that then loaded the code from myfile.html (which does not contain the apiKey) into an iframe. The only problem with this is that you need a local web server to be able to hide the apiKey. The user doesn't get to see the apiKey, only the code you provide. Here is the file I used:

    <!DOCTYPE html>
    <html>
    <head>

    <title>Example</title>

    <iframe height=1000 width=800 src="http://localhost:1337/myfile.html?apiKey=123456789098765432123456789098765></iframe>

    <style type="text/css">

    </style>
    </head>
    <body></body>
    </html>

    ------------------------------
    Nik
    Ask me a question, I'm All Ears!
    Rally Sales Engineer
    Rally Software
    ------------------------------

    Original Message


  • 4.  RE: Rally SDK2 WSAPI - Javascript - Embedded application - Authorization for non-Rally users - ApiKey

    Posted Jun 16, 2020 09:32 AM
    Hi Nik, thanks for your help!

    My application URL is https://rally1.rallydev.com/#/26964342459ud/custom/398164203864, I can also access it directly thanks to the following URL: https://rally1.rallydev.com/slm/panel/html.sp?panelOid=398164207404

    The point is that I do not want to run the HTML file locally, neither on a local web server, I intend to host the HTML code directly in Rally thanks to the "Custom HTML" application. This application allows to host some HTML/Javascript code in a Rally panel on a Rally custom page. When my application is embedded in Rally, I cannot access it without authenticating myself. Even if I set the apiKey argument in the sdk URL as you mentioned. 

    Do you think there is a way to provide the apiKey in the Rally URL?
    This URL does not work better: https://rally1.rallydev.com/slm/panel/html.sp?panelOid=398164207404&apiKey=<mykey>

    Greg.
    Original Message


  • 5.  RE: Rally SDK2 WSAPI - Javascript - Embedded application - Authorization for non-Rally users - ApiKey
    Best Answer

    Broadcom Employee
    Posted Jun 16, 2020 10:10 AM
    Hi Greg,

    That description is a little clearer. Unfortuantely, you cannot give someone access to the UI via an apiKey. The Custom HTML app is served up by the UI, not an API call.

    ------------------------------
    Nik
    Ask me a question, I'm All Ears!
    Rally Sales Engineer
    Rally Software
    ------------------------------

    Original Message


  • 6.  RE: Rally SDK2 WSAPI - Javascript - Embedded application - Authorization for non-Rally users - ApiKey

    Posted Jun 16, 2020 12:20 PM
    Hi Nik,

    Thanks again for your inputs, I now understand why I couldn't manage to get it working :-)

    Greg.
    Original Message