Skip to content

C
coopwire-hypothesis
Commit 8281804b authored by Nick Stenning's avatar Nick Stenning
Browse files
Options

Revert "Remove "assertion" GET param from token requests" 

This reverts commit e0e23bde. This needs
more thought, as the X-CSRF-Token header won't currently be set for
cross-domain requests (such as those made by the extension sidebar).
parent 7b4723c8
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 2 deletions
h/static/scripts/auth.js
View file @ 8281804b
...@@ -24,9 +24,12 @@ var cachedToken = INITIAL_TOKEN; ...@@ -24,9 +24,12 @@ var cachedToken = INITIAL_TOKEN;
* @return {Promise} - A promise for a new JWT token. * @return {Promise} - A promise for a new JWT token.
*/ */
// @ngInject // @ngInject
function fetchToken($http, settings) { function fetchToken($http, session, settings) {
var tokenUrl = new URL('token', settings.apiUrl).href; var tokenUrl = new URL('token', settings.apiUrl).href;
var config = { var config = {
params: {
assertion: session.state.csrf,
},
// Skip JWT authorization for the token request itself. // Skip JWT authorization for the token request itself.
skipAuthorization: true, skipAuthorization: true,
transformRequest: function (data) { transformRequest: function (data) {
...@@ -47,7 +50,7 @@ function fetchToken($http, settings) { ...@@ -47,7 +50,7 @@ function fetchToken($http, settings) {
// @ngInject // @ngInject
function fetchOrReuseToken($http, jwtHelper, session, settings) { function fetchOrReuseToken($http, jwtHelper, session, settings) {
function refreshToken() { function refreshToken() {
return fetchToken($http, settings).then(function (token) { return fetchToken($http, session, settings).then(function (token) {
return token; return token;
}); });
} }
......
h/static/scripts/test/auth-test.js
View file @ 8281804b
...@@ -16,6 +16,7 @@ describe('auth', function () { ...@@ -16,6 +16,7 @@ describe('auth', function () {
get: sinon.spy(function (url, config) { get: sinon.spy(function (url, config) {
assert.equal(config.skipAuthorization, true); assert.equal(config.skipAuthorization, true);
assert.equal(url, 'https://test.hypothes.is/api/token'); assert.equal(url, 'https://test.hypothes.is/api/token');
assert.equal(config.params.assertion, fakeSession.state.csrf);
var result = {status: 200, data: fakeTokens[fakeTokenIndex]}; var result = {status: 200, data: fakeTokens[fakeTokenIndex]};
++fakeTokenIndex; ++fakeTokenIndex;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment