To determine the user that is signed in when making a request to your plugin server, or in more formal words the “authentication context” of a request you have two options
Client Side
This is not very secure as it is initiated and consumed by the browser, which is under the complete control of the end user – so do not rely on this method to enforce actions depending on the signed in user as it can be manipulated:
// usually in plugins/PLUGIN_NAME/public/application.ts
http.get('/api/v1/configuration/account').then(resp => {
console.log(resp)
})
Server side
This is the preferred approach to enforce authorization depending on the signed in user:
// usually in plugins/PLUGIN_NAME/server/routes/index.ts - in the "defineRoutes" function
router.get(
{
path: '/api/cybersift/whoami',
validate: false,
},
async (context, request, response) => {
// the below object is the important part
console.log(context.core.coreStart.http.auth.get(request))
console.log("--------------")
return response.ok({
body: {
status: "OK",
},
});
}
)
Sample response:
{
"status":"authenticated",
"state":{
"selectedTenant":"__user__",
"authInfo":{
"user":"User [name=admin, backend_roles=[admin], requestedTenant=__user__]",
"user_name":"admin",
"user_requested_tenant":"__user__",
"remote_address":"127.0.0.1:49404",
"backend_roles":[
"admin"
],
"custom_attribute_names":[
],
"roles":[
"own_index",
"all_access"
],
"tenants":{
"global_tenant":true,
"admin_tenant":true,
"admin":true
},
"principal":null,
"peer_certificates":"0",
"sso_logout_url":null
}
}
}
David Vassallo's Blog 