Programmatic use of Corvid via wix-http-functions API from Android

UPDATE:
I have found a work-around for the problem below (see my comment below), but I consider it a hack.

WIX PLEASE UPDATE THE API TO ALLOW TRUE PROGRAMMATIC ACCESS TO CORVID APIs FROM iOS/Android!

Original Post:

My mobile app needs to access my Wix site and do things like log in, query a user’s data and utilize those results within the app. However, the Wix API documentation seems to assume the APIs are called from javascript on web pages hosted on my Wix site.

I want to create an API basis for doing programmatically what someone can do on the website, including logging in, querying the various databases on my site for user-specific data, etc. so that mobile applications can access it as easily as the browser.

I looked into the back-end function approach creating a http-functions.js file in the Backend folder per this link , but I am running into errors trying that approach. I think I must be missing something fundamental, because many of the Wix API I want to support in my Backend function fail with permissions error.

So what is the approach I need to take in order (for example) to support querying my Members database for data associated with a particular member? This database has permissions set for either site member or site member author. For example, here is some code that needs to determine whether or not a particular user (identified by email) has any ‘connections’ to others:

export async function get_utils(request) {
    console.log("utils function called");

 let response = { "headers": {"Content-Type": "application/json"} };
 response.body = {"result":false};
 
 const operation = request.path[0]; // "login"
 switch (request.path[0]) {

     case 'connections':
     {
         const email = request.query["email"];
         await wixData.query("SITConnections")
                    .include("SITMembers")
                    .eq("memberEmail", email)
                    .find()
                    .then( (results) => {
             if (results.items.length > 0) {
                console.log("Found " + results.items.length + " connections.")
                for (let i= 0 ; i < results.items.count ; i++) {
                    //TODO Create response data here
                }
                response.body = {"result": true, "items" : results.items};
             } else {
                 console.log("Found 0 connections.")
                 response.body = {"result": false};
             }
         })
         .catch( (error) => {
             console.log("Got error: " + error);
         response.body = {"result":false,"errormsg" : error.message};
         });
         return ok(response);
     }   

     default:
         response.body = {"result": false};
         return ok(response);        
 }

But calling this results in a permissions error: WDE0027: The current user does not have permissions to read on the SITCOnnections collection.

Which based on this implementation is understandable - just calling this API as-is doesn’t have any credentials associated with it - I haven’t logged in, passed any type of a token, etc…

Yet the documentation for wix-http-functions clearly anticipates people doing what I am trying to do because it states:

Using Corvid you can create functions to expose the functionality of your site as a service. That means other people can use the functionality of your site by writing code that calls your site’s API as defined by Wix Functions you create.

You might want to use HTTP functions to:

• Integrate your site with an automation tool, such as Zapier or IFTTT.

• Receive notifications and information from external webhooks.

• Share a backend between your site and a native mobile application.

The last bullet is exactly what I’m trying to do! Surely there is a way to indicate to the back-end functions which “logged in user” is associated with the request being made, similarly as if it was coming from a web page?

How?

After further experimentation and review of the various APIs, I found that some of the wix-data APIs support using a parameter that allows me to execute the API without authorization . This means I can at least work around the issues described above by creating a back-end function that performs its duties against my database that is only called by my mobile app once I have validated login credentials.

And notice I said “validated login credentials”, not “fully logged in”.

Because the back-end login() API returns a session token if successful, I can code my use of it to essentially return “credentials validated” or “credentials not validated” and forego using the session token entirely, and instead call a separate back-end function (like in my original post) with the options to ignore the authorization check as long as the credentials were validated in the first step.

Am I missing something?

WIX - please provide a more standard token-API approach that can be completely handled programmatically! Or if this is possible, please make it clearer how to do it! What I would expect:

1. Back-end function that can complete login without having to rely on a front-end web page. This should return some sort of token that can be used by other APIs.
2. Augment the API (or document how to use this token) so that the token returned from step (1) can be used to make other HTTP/HTTPS calls within the Corvid API so we have complete programmatic access without having to rely on web pages to access Corvid functionality.
3. Alternatively, use an approach similar to how Dropbox does it (check out their Java 2 API) - you can log in once to get your token, then use that to initialize a “Dropbox client” which is then used to make all the API calls. Works great.