Fixing public dashboards

dragonsahead · dragonsahead · commit f8fb33e85748 · 2021-05-10T18:00:55.000-03:00
diff --git a/node/index.js b/node/index.js
@@ -91,15 +91,15 @@ app.get("/signed_dashboard/:id", checkAuth, (req, res) => {
 app.get("/signed_public_dashboard/", (req, res) => {
   const userId = req.session.userId;
   const unsignedToken = {
-      resource: { dashboard: DASHBOARD_ID },
-      params: { id: userId },
+      resource: { dashboard: 1 },
+      params: { },
       exp: Math.round(Date.now() / 1000) + (10 * 60) // 10 minute expiration
   };
   // sign the JWT token with our secret key
   const signedToken = jwt.sign(unsignedToken, MB_EMBEDDING_SECRET_KEY);
   // construct the URL of the iframe to be displayed
   const iframeUrl = `${MB_SITE_URL}/embed/dashboard/${signedToken}`;
-  res.render("dashboard", { userId: req.params.id, iframeUrl: iframeUrl });
+  res.render("public_dashboard", { iframeUrl: iframeUrl });
 })
 
 app.listen(PORT, () => {
diff --git a/node/views/public_dashboard.pug b/node/views/public_dashboard.pug
@@ -0,0 +1,45 @@
+extends layout.pug
+
+block content
+    h1 Signed dashboards without parameters</h1>
+
+    p
+        This is an example of a signed embedded dashboard. We haven't signed any parameters, but we have signed the resource id (in this case dashboard 1). This is means that only application with the signing key are allowed to embed a Metabase resource (vs the public link which can be copy/pasted and shared). Signed embeds can also be set to have an expiration time, which further improves security.
+
+    p
+        To embed this dasbhoard in a webpage (as below), you'll need to generate a url on the server by signing a dictionary specifying the resource and it's signed parameters as below
+
+
+    pre.
+        payload = {
+            "resource": {"dashboard": 1},
+            "params": { }
+        }
+
+        token = jwt.encode(payload, METABASE_SECRET_KEY, algorithm="HS256").decode('utf8')
+
+        iframeUrl = METABASE_SITE_URL + "/embed/dashboard/" + token + "#bordered=true"
+        
+    p In the place you wish to embed the chart in your HTML, insert the below:	
+
+    pre.
+        &lt;iframe
+            src="http://{% templatetag openvariable %}iframeUrl{% templatetag closevariable %}"
+            frameborder="0"
+            width="800"
+            height="600"
+            allowtransparency
+        &gt;&lt;/iframe&gt;
+
+    a(href="/") Go back to a global view
+
+    p This results in the below when put together
+
+    h2 Global Order Stats
+
+    iframe(src=iframeUrl
+            width="1200" 
+            height="800" 
+            frameborder="0")
+
+
