When using Forge, your app may have access to contextual information that originates from various sources. Since data originating from or passing through the browser can be altered or tampered with, it's important to understand which parts of this contextual information are guaranteed to be secure, unalterable, and thus valid to be used for authorization purposes.
When you use contextual information that is not guaranteed to be secure and unalterable, it is your
responsibility to ensure that usage of this contextual
information does not allow a customer to have any sort of unauthorized access.
You may use the secure parts of the contextual information to determine and authorize access.
For example, you can use the accountId in the custom UI resolver context payload to check a
user's access to some content.
For UI Kit, the contextual information is available through the use of Hooks, Bridge and Invoke methods. The same methods, Bridge and Invoke, are also applicable for accessing contextual information in Custom UI.
Only license, accountId, accountType, and installContext from the context parameter in each resolver function are
guaranteed to be secure, unalterable, and valid to be used for authorization.
You should not use the contextual information from the getContext API for authorization, as it is
able to be modified in the browser and is not guaranteed to be secure, unalterable, and valid to be used
for authorization.
Contextual information is made available in UI Kit via the useProductContext hook.
Only license, accountId and installContext are guaranteed to be secure, unalterable, and valid
to be used for authorization.
Rate this page: