Keep-web flow » History » Version 4
Tom Clegg, 12/23/2015 09:51 PM
h1. Keep-web flow
(Note: this page is an alternate explanation of the authoritative docs at https://godoc.org/git.curoverse.com/arvados.git/services/keep-web#hdr-Authorization_mechanisms)
Keep-web serves files from Keep collections as normal HTTP documents.
This is mitigated two ways:
# By serving files with "content-disposition: attachment" which tells the browser to open up the download dialog straight away and don't try to show the files.
# Using separate a separate domain for downloading, so the browser won't send workbench cookies.
This raises the challenge: how to provide the API token to keep-web to enable download?
keepweb accepts an API token the following ways:
* With @Authorization: OAuth2@ header
* With @Authorization: Basic@ header
* With @?api_token=xxx@ query string
* With a cookie called @arvados_api_token@
* With @/t=xxx/@ at the start of the path
# when doing a GET request, the API token must be either part of the request URI or a header (browser does not send the workbench cookie when keep-web is on a different domain)
# We want to hide the API token from the user unless it is a "sharing" link