[SalesForce] Lightning: is direct API access on the roadmap

I'm programming developer tools and an IDE. Right now, my code is based on Visualforce and JavaScript. As described here, I would like to convert most of my API callouts form APEX to JavaScript.

Also I would like to shift my development form Visualforce to Lightning. But API access seems to be a challenge: How to call a Salesforce REST URL from Lightning Component?

CSP is blocking the access and I'm not clear about the future perspective on this.

MartyC. found a workaround, which bypasses this limitation via APEX. But if my understanding of Dougs answer is correct, this path is open unintentionally and is likely to be closed in the future:

The lightning application separate domain also uses a special
lightning session ID that does not have direct API access. The fact
that you can currently provide indirect access to a fully API capable
session ID is a great example of why our content security policy is
currently so restrictive. Leaking an API said back to the client in a
way that malicious JavaScript can easily steal is precisely why we
have things locked down so tightly today.

So as a consequence Lightning Apps can best case try to get indirect API access. If the API access is turned off on purpose for security reasons, indirect mechanisms could also count as "hacks" and might be prevented later.

Are there any plans to open up Lightning API access in the near future?

Best Answer

We are still working out the details of this type of access - there are multiple reasons we have this in place today:

security as discussed in my other posts/answers
performance: direct access via arbitrary XHR client code cannot take advantage of the scarce resource (connections) management infrastructure provided by Lightning's Action Service. We've had significant challenges in this area within Salesforce because our native container and web content do not share a common scarce resource layer
offline support: the offline, occasionally connected, and locally served speed capabilities in S1 and other Lightning based applications is based on Action Service, Storage Service, and the upcoming Data Service. Going "around" these services is going to bite most projects at some point and we're really trying to future proof things and save everyone a ton of grief

One thing we are looking into is providing a thin XHR proxy that is build on top of the Action Service, Storage Service, etc. I've personally been working on this concept as a plugin for AngularJs's $http API - would let you use Angular's $http API and get the Lightning Components Action Service benefits simultaneously! Same idea for Sencha Ext/Touch with a DataProxy implemented on top of ActionService.

Related Solutions

[SalesForce] Lightning access via ToolingAPI or MetadataAPI

Both ToolingAPI and MetadataAPI are both fully functional and supported (Beta also of course). Dev Console uses the tooling api itself and sublime-lightning sits on top of the forceCLI project that uses various APIs. Packaging support is based on the MD API. At least one ISV/Partner (Squidify) has already Lightning Components enabled their own tools. Our own Salesforce Eclipse plugin will soon have LC support too.

Here is the MD API doc for AuraDefinition and AuraDefinitionBundle that should get you started:

https://www.salesforce.com/us/developer/docs/api_meta/index_Left.htm#CSHID=meta_auradefinitionbundle.htm|StartTopic=Content%2Fmeta_auradefinitionbundle.htm|SkinName=webhelp

SObject API is also a useful read:

https://www.salesforce.com/us/developer/docs/api/index_Left.htm#CSHID=sforce_api_objects_auradefinitionbundle.htm|StartTopic=Content%2Fsforce_api_objects_auradefinitionbundle.htm|SkinName=webhelp

LCs are represented by 2 new entities: AuraDefinitionBundle (the set of defs that comprise a component, app, event, etc) and AuraDefinition (and individual part of a bundle: markup (cmp, app, evt, etc), myCompinentController.js, and so on)

[SalesForce] How to Call the Salesforce API from a Lightning Component

You have to manually replace the Session ID in your request body/header .

In named credentials we have options to use the Merge fields in header/body

 @AuraEnabled
public static String getOrgLimits(){
    HTTP http=new HTTP();
    HTTPRequest hres=new HTTPRequest();
    hres.setEndpoint('callout:OWNINSTANCE'+'/services/data/v39.0/limits');
    hres.setMethod('GET');

    hres.setHeader('Authorization','Bearer {!$Credential.OAuthToken}');//Magic happens here
    HttpResponse response=http.send(hres);
    System.debug(response.getBody());
    return response.getBody();

}

In the above example I am trying to hit my own org's REST endpoint to get LIMITS of my current org. Its native REST calls without using SESSION ID.

In case of SOAP callout you can code something like

public class EchoManager {
    public String endpoint_x = 'callout:Echo_Service';
    . . .
    public String echo(String text) {
        WSEchoManager.echo_element request_x = new WSEchoManager.echo_element();
        request_x.text = text;
        this.SessionHeader = new SessionHeader_element();
        this.SessionHeader.sessionId = '{!$Credential.OAuthToken}';//Magic happens here

You have to use merge field header for Rest Call where as you have to use Merge field Body in SOAP call.

https://blog.enree.co/2016/03/salesforce-apex-lets-play-with-named.html

Best Answer

Related Solutions

[SalesForce] Lightning access via ToolingAPI or MetadataAPI

[SalesForce] How to Call the Salesforce API from a Lightning Component

Related Topic