Commit e0e23bde authored by Nick Stenning's avatar Nick Stenning

Remove "assertion" GET param from token requests

When fetching a JWT from the server, the client needs to supply the
session CSRF token in order to prevent third-party pages from being able
to fetch and use tokens without the user's permission.

Previously, it was necessary to supply this token in the "assertion" GET
parameter -- in an attempt to make this look a bit like an OAuth token
issuance API -- but in Pyramid 1.7 this isn't allowed, and it turns out
not to be necessary, because Angular's CSRF support retrieves the token
from an XSRF-TOKEN cookie set in earlier requests and sets the
X-CSRF-Token request header automatically.
parent 326b4518
...@@ -24,12 +24,9 @@ var cachedToken = INITIAL_TOKEN; ...@@ -24,12 +24,9 @@ var cachedToken = INITIAL_TOKEN;
* @return {Promise} - A promise for a new JWT token. * @return {Promise} - A promise for a new JWT token.
*/ */
// @ngInject // @ngInject
function fetchToken($http, session, settings) { function fetchToken($http, settings) {
var tokenUrl = new URL('token', settings.apiUrl).href; var tokenUrl = new URL('token', settings.apiUrl).href;
var config = { var config = {
params: {
assertion: session.state.csrf,
},
// Skip JWT authorization for the token request itself. // Skip JWT authorization for the token request itself.
skipAuthorization: true, skipAuthorization: true,
transformRequest: function (data) { transformRequest: function (data) {
...@@ -50,7 +47,7 @@ function fetchToken($http, session, settings) { ...@@ -50,7 +47,7 @@ function fetchToken($http, session, settings) {
// @ngInject // @ngInject
function fetchOrReuseToken($http, jwtHelper, session, settings) { function fetchOrReuseToken($http, jwtHelper, session, settings) {
function refreshToken() { function refreshToken() {
return fetchToken($http, session, settings).then(function (token) { return fetchToken($http, settings).then(function (token) {
return token; return token;
}); });
} }
......
...@@ -16,7 +16,6 @@ describe('auth', function () { ...@@ -16,7 +16,6 @@ describe('auth', function () {
get: sinon.spy(function (url, config) { get: sinon.spy(function (url, config) {
assert.equal(config.skipAuthorization, true); assert.equal(config.skipAuthorization, true);
assert.equal(url, 'https://test.hypothes.is/api/token'); assert.equal(url, 'https://test.hypothes.is/api/token');
assert.equal(config.params.assertion, fakeSession.state.csrf);
var result = {status: 200, data: fakeTokens[fakeTokenIndex]}; var result = {status: 200, data: fakeTokens[fakeTokenIndex]};
++fakeTokenIndex; ++fakeTokenIndex;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment