1. 25 Jan, 2017 3 commits
    • Robert Knight's avatar
      Whitelist and document the 'services' config param · 2e36d1f1
      Robert Knight authored
      Document the 'services' config param which the host page may provide to
      the client.
      2e36d1f1
    • Robert Knight's avatar
      Implement API token and profile fetching for OAuth clients · c604c0c3
      Robert Knight authored
      Implement access token and profile retrieval for embedders of the client
      that provide an OAuth grant token as part of the client's configuration.
      
      For a page embedding Hypothesis configured to use a 3rd-party account,
      the start up flow for the client is:
      
       1. Read service configuration from 'services' array in settings
      
       2. Exchange grant token from service config for an access token
          using the `POST /api/token` endpoint
      
       3. Fetch profile data using `GET /api/profile` endpoint
      
      On startup, the app reads the service config and then switches between
      either the cookie-based auth implementation or the OAuth-based auth
      implementation.
      
      In future, the cookie-based auth implementation will be removed in favor
      of OAuth-based auth for first-party accounts as well.
      c604c0c3
    • Robert Knight's avatar
      Remove auth => session dependency · 444482ec
      Robert Knight authored
      Simplify the "auth" service and remove the dependency on the
      "session" service. This will make it possible to introduce a "store" =>
      "session" dependency in future in order to support fetching the user's
      profile from the access token-authenticated /api/profile endpoint
      instead of the cookie-authenticated /app endpoint.
      
      The 'auth' service depended on 'session' for three things:
      
       - Being able to call `session.load()` in order to retrieve a CSRF
         token. This token is not needed for the `GET /api/token` endpoint
         following https://github.com/hypothesis/h/pull/4322
      
       - Calling `session.logout()`. This is fixed by removing the
         `auth.logout()` endpoint and changing the caller to call
         `session.logout()` directly instead. `session.logout()` in turn
         calls `auth.clearCache()` to clear cached API tokens.
      
       - Determining the current user ID in order to invalidate
         the cached token when that changes. The logic to clear the
         cache has instead been moved to the session service.
      
      This commit also adds additional tests for session logout.
      444482ec
  2. 24 Jan, 2017 8 commits
  3. 23 Jan, 2017 3 commits
  4. 19 Jan, 2017 3 commits
  5. 18 Jan, 2017 1 commit
    • Robert Knight's avatar
      Fetch access tokens and add Authorization header to API requests · 4b03e69d
      Robert Knight authored
      Remove the global HTTP interceptor provided by angular-jwt which added
      the Authorization header to API requests and replace it with explicit
      logic in `createAPICall` to do the same thing.
      
      This will enable replacing the JWT tokens with opaque access tokens when
      using a publisher-provided grant token for authentication.
      
      It also provides a more explicit way to only include the access token
      with requests to the API, rather than filtering based on the URL prefix
      of the request in the `tokenGetter` implementation.
      
       * Remove angular-jwt's HTTP interceptor and replace it with logic in
         store.js to explicitly fetch an access token using the `auth` module
         and add an Authorization header to API requests.
      
       * Convert standalone functions and global variables in auth.js to
         methods on the auth service. This will enable swapping out the
         current auth service implementation which uses cookies + CSRF
         for authentication with one that uses the OAuth grant token.
      
       * Fix several cases in store-test.js where functions that made
         assertions inside Promise callbacks did not explicitly wait for the
         Promise to resolve before finishing the test.
      4b03e69d
  6. 17 Jan, 2017 2 commits
  7. 16 Jan, 2017 7 commits
  8. 12 Jan, 2017 2 commits
  9. 10 Jan, 2017 7 commits
  10. 09 Jan, 2017 1 commit
  11. 05 Jan, 2017 3 commits
    • Robert Knight's avatar
      Remove initial redirect when sidebar loads · 1c933e5a
      Robert Knight authored
      Avoid redirecting to '/viewer' when the sidebar loads.
      
      This redirect is unnecessary since the sidebar never changes its mode
      once loaded and it caused the viewer embedded on a page to fail to load
      when restoring a closed tab in Chrome.
      
      This may also resolve issues where the user agent disallows the
      'replaceState' call in certain situations (search prod-client reports on
      Sentry for "replaceState")
      
      Fixes #178
      1c933e5a
    • Robert Knight's avatar
      0.50.0 · 26bd2791
      Robert Knight authored
      26bd2791
    • Robert Knight's avatar
      Update Change Log · 743ce656
      Robert Knight authored
      743ce656