Get authtoken from viewer URL

[mrbannon]

Assume we have the following viewer URL for a Resource:

https://rodan.simssa.ca/resource/uuid/viewer/

When opening in a new tab we cannot set the auth token in the header (javascript doesn't allow this). What we CAN do is add the auth token as a GET parameter. Imagine the URL sent to Rodan now looks like the following:

https://rodan.simssa.ca/resource/uuid/viewer/?authtoken=

Please do the following: when serving viewer URL requests in Rodan, if the auth token is not in the header, check if 'authtoken' exists as a GET parameter and use that instead. Django currently return a 40x response if the token isn't in the header, so you may have to investigate how to circumvent that behaviour.

[lingxiaoyang]

Ryan, I don't think it's good to write the authtoken in the URL as the location object is global and the token can be read by any other scripts. I encountered this problem with interactive jobs and I added a temporary access code there. I suggest using the same method: 1. Before visiting the viewer url, do another GET request to obtain a temporary access code; 2. Then put this code in URL of the resource viewer.

On Jul 26, 2016, at 12:22 PM, Ryan Bannon <notifications@github.commailto:notifications@github.com> wrote:

Assume we have the following viewer URL for a Resource:

https://rodan.simssa.ca/resource/uuid/viewer/

When opening in a new tab we cannot set the auth token in the header (javascript doesn't allow this). What we CAN do is add the auth token as a GET parameter. Imagine the URL sent to Rodan now looks like the following:

https://rodan.simssa.ca/resource/uuid/viewer/?authtoken=

Please do the following: when serving viewer URL requests in Rodan, if the auth token is not in the header, check if 'authtoken' exists as a GET parameter and use that instead. Django currently return a 40x response if the token isn't in the header, so you may have to investigate how to circumvent that behaviour.

You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://github.com//issues/453, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIOxxqzslo6cR_LEvZxoitYvbO84vUPoks5qZjQggaJpZM4JVVKl.

[mrbannon]

Excellent idea

On Jul 26, 2016 2:20 PM, "Ling-Xiao Yang" notifications@github.com wrote:

Ryan, I don't think it's good to write the authtoken in the URL as the
location object is global and the token can be read by any other scripts. I
encountered this problem with interactive jobs and I added a temporary
access code there. I suggest using the same method: 1. Before visiting the
viewer url, do another GET request to obtain a temporary access code; 2.
Then put this code in URL of the resource viewer.

On Jul 26, 2016, at 12:22 PM, Ryan Bannon <notifications@github.com
mailto:notifications@github.com> wrote:

Assume we have the following viewer URL for a Resource:

https://rodan.simssa.ca/resource/uuid/viewer/

When opening in a new tab we cannot set the auth token in the header
(javascript doesn't allow this). What we CAN do is add the auth token as a
GET parameter. Imagine the URL sent to Rodan now looks like the following:

https://rodan.simssa.ca/resource/uuid/viewer/?authtoken=

Please do the following: when serving viewer URL requests in Rodan, if the
auth token is not in the header, check if 'authtoken' exists as a GET
parameter and use that instead. Django currently return a 40x response if
the token isn't in the header, so you may have to investigate how to
circumvent that behaviour.

You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<
https://github.com/DDMAL/Rodan/issues/453>, or mute the thread<
https://github.com/notifications/unsubscribe-auth/AIOxxqzslo6cR_LEvZxoitYvbO84vUPoks5qZjQggaJpZM4JVVKl

.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#453 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AEG5ppfmOONlbQig74MkG-jgfxw186lOks5qZk__gaJpZM4JVVKl
.

[ahankinson]

Note that constantly changing access keys caused all kinds of problems with @AFFogarty interactive classifier.

[mrbannon]

That was a different issue since he had to keep renewing his token so he
could submit his work. We only need to get the data once if im not mistaken.

On Jul 26, 2016 5:04 PM, "Andrew Hankinson" notifications@github.com
wrote:

Note that constantly changing access keys caused all kinds of problems
with @AFFogarty https://github.com/AFFogarty interactive classifier.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#453 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AEG5pibH_eLvFT7DWmlEqj3cHWEd-iV9ks5qZnVVgaJpZM4JVVKl
.

[NegarehMir]

Done on Viewer branch. Commit: a7735c1