Detect if the person running the project is logged in as the owner of the project

We are creating a 3D story editor for mixed reality, for kids, that runs in glitch. The editor allows you to lay out a mixed reality story as a series of scenes, storing the scenes in json files in the project, and using Assets for the assets.

I would like to set things up such that if I (the owner of the project) runs the glitch, I have both “edit” and “view” buttons. If anyone else runs the glitch, they only have a “view” button (to see the scenes. The model follows glitch itself; if someone wants to riff on your story and edit your scenes, they remix the glitch, getting a copy of all the docs and assets.

But I can’t see a way to tell if the browser window that is running the project is also logged into glitch, and if so, if the account it’s logged into is the owner of the glitch. Is this possible?

Hey @blairmacintyre, right now there’s no guaranteed way for a Glitch app to know that the user browsing the app is logged into Glitch at all. For something like this I’d suggest adding authentication of some kind to your app and relying on that.

One workaround you could use would be to manually set Glitch’s authentication token in your app (perhaps in localStorage) and then to call the Glitch API using that token to verify project membership. In the browser console for any project’s Editor window JSON.parse(localStorage.cachedUser).persistentToken will give you the currently-logged-in user’s identifier for calling the API. If you set that value in your app’s localStorage you could then use it to query the API to glean that user’s permissions to the current project.

The Glitch API is currently undocumented and unofficial, but another community member has documented it from publicly-available calls - you can take a look at that in Glitch API & Documentation. It is subject to change at any time, but please let us know if something you’re relying on breaks.

Hope this helps!

Thanks @cori. That could be part of the solution, yes. I’m working with kids, so I’m a little loath to rely on something that will require me to go and do this for each of their projects.

BTW, I wasn’t worried about “browsing” … it’s fine for people to browse the app. I’m worried about when the app is running, only allowing the owner of the app to “save”. Right now, we have a little bit of a manual password setup, which is fine for letting them edit when they aren’t logged into glitch.

Our current solution is to put a PASSWORD=whatevertheywant in .env and have a login dialog.

It seems like you are saying that I could require them to be logged into glitch to edit, and then use the API to query (using their token) to see if they have permission?

(I admit I don’t see how to do that from those docs … hints? :thinking: )

@cori … do you have any examples or more guidance? I can’t see from those docs how to do what I think you are suggesting:

  • I can get the persistentToken
  • I see a bunch of API endpoints
  • I don’t see how I would use any of these to “call the Glitch API using that token to verify project membership”

If I could verify project membership using a token, then I could automate things: I could call from the browser back to the server, passing my token. The server could call the glitch API to verfiy the membership … I suspect I’m not understanding what your suggesting.