Bug #16812
Updated by Peter Amstutz over 4 years ago
Users are sharing download URLs with embedded user tokens. Workbench2 should hand off to keep-web in a way that does not expose the token to the user.
I believe the way Workbench 1 does it is by linking to a special workbench path, which returns a redirect which includes ?api_token in the query, when keep-web gets the request it returns a cookie and another redirect to the final URL with the ?api_token stripped, this is the one the user sees, with the token safely stashed in a cookie.
The different methods of doing token hand-off are described here:
https://dev.arvados.org/projects/arvados/repository/revisions/master/entry/services/keep-web/doc.go
> // If a token is provided in a query string or in a POST request, the
> // response is an HTTP 303 redirect to an equivalent GET request, with
> // the token stripped from the query string and added to a cookie
> // instead.
Workbench 2 collection should do something like:
# Provide "copy link to clipboard" in the context menu. The copied link must not have the token.
# The "open file" and "open in new tab" behaviors should navigate to the download location with ?api_token in the query (it must not include the token in the path with "/t=.../")
# Keep-web will respond with a redirect which strips ?api_token from the URL and puts the token in a cookie.