0

I am working on something which includes LWC with tooling API. I wrote this below method which makes a callout. but when I call this method this method from lwc at that time I'm unable to get session Id, but if I call this same method from the developer console then it works fine.

Apex Code:
@AuraEnabled 
public static string getList(String fieldName){  
    HttpRequest req = new HttpRequest();
    req.setHeader('Authorization', 'Bearer ' + UserInfo.getSessionId());
    System.debug('res------>'+UserInfo.getSessionID());
    req.setHeader('Content-Type', 'application/json');
    req.setEndpoint('callout:Tooling_Query/query/?q=Select+id,Namespaceprefix,developername,TableEnumOrId+FROM+customfield+Where+developername+LIKE\'' +fieldName+ '\'');
    req.setMethod('GET');
    Http h = new Http();
    HttpResponse res = h.send(req);
    System.debug('res------>'+res.getBody());       
    return res.getBody();
}

When I call it from lwc it returns this

[{"message":"This session is not valid for use with the REST API","errorCode":"INVALID_SESSION_ID"}]

so, how can I get session-id from lwc, I already set up a Connected App and Named Credential by the name of Tooling_Query and add URL to remote sites.

please help me here.

Harshit Tyagi
  • 13
  • 4

1 Answers1

1

You can't. Your Apex code called in a Lightning Web Components context cannot get an API-enabled Session Id. This is documented in the Lightning Web Components Dev Guide:

By security policy, sessions created by Lightning components aren’t enabled for API access. This restriction prevents even your Apex code from making API calls to Salesforce. Using a named credential for specific API calls allows you to carefully and selectively bypass this security restriction.

The restrictions on API-enabled sessions aren’t accidental. Carefully review any code that uses a named credential to ensure you’re not creating a vulnerability.

The only supported approach is to use a Named Credential authenticated as a specific user.

There is a hack floating around that exploits a Visualforce page to obtain a Session Id from such an Apex context. I do not recommend doing this, especially if you need to access the privileged Tooling API. Use the correct solution and build a Named Credential.

David Reed
  • 2,522
  • 2
  • 16
  • 16
  • Sir, I already set up a Named Credential with Authenticated as tyagih@gmail.com Status. but I'm getting the same result – Harshit Tyagi Apr 22 '22 at 11:26
  • Did you use the Named Credential explicitly in your callout? The system won't use it automatically. – David Reed Apr 22 '22 at 13:42
  • Yes, I did but the same result. I just edit my apex class code above. – Harshit Tyagi Apr 25 '22 at 07:15
  • @DavidReed chicken and egg here: I sometimes use the SessionId from Visualforce to call Metadata API to create (now forbidden) or modify (allowed when packaged) NamedCredential. See here: https://github.com/rsoesemann/app-setup/blob/master/force-app/main/default/classes/SetupBackendConnection.cls#L86 – Robert Sösemann Jan 18 '23 at 14:43