Project

General

Profile

Bug #16812

Updated by Peter Amstutz over 4 years ago

Users are sharing download URLs with embedded user tokens.    Workbench2 should hand off to keep-web in a way that does not expose the token to the user. 

 I believe the way Workbench 1 does it is by linking to a special workbench path, which returns a redirect which includes ?api_token in the query, when keep-web gets the request it returns a cookie and another redirect to the final URL with the ?api_token stripped, this is the one the user sees, with the token safely stashed in a cookie. 

 The different methods of doing token hand-off are described here: 

 https://dev.arvados.org/projects/arvados/repository/revisions/master/entry/services/keep-web/doc.go 

 > // If a token is provided in a query string or in a POST request, the 
 > // response is an HTTP 303 redirect to an equivalent GET request, with 
 > // the token stripped from the query string and added to a cookie 
 > // instead. 

 Workbench 2 collection should do something like: 

 # Provide "copy link to clipboard" in the context menu.    The copied link must not have the token. 
 ## This should probably be a special workbench2 link which will verify the user is logged in (or go through the login dance) and then redirect to keep-web as described next 
 # The "open file" and "open in new tab" behaviors should navigate to the download location with ?api_token in the query (it must not include the token in the path with "/t=.../") 
 # Keep-web will respond with a redirect which strips ?api_token from the URL and puts the token in a cookie. 

Back