1. 05 Aug, 2014 2 commits
  2. 04 Aug, 2014 4 commits
    • Randall Leeds's avatar
      Merge pull request #1357 from hypothesis/identity-refactor · 805e9dfa
      Randall Leeds authored
      Refactoring identity and auth
      805e9dfa
    • Randall Leeds's avatar
      Refactor and isolate identity, auth, and session · 4cf39590
      Randall Leeds authored
      Introduce a new module on the frontend called `h.identity` which
      abstracts the interaction between the main application and the
      authentication system using the `navigator.id` API introduced by
      Mozilla as part of Persona / BrowserID. In our case, the we submit
      the authentication assertion as a query parameter in our token
      URL. This is designed to flexibly accommodate different auth needs
      by intepreting the assertion differently and using a different
      identity module to return whatever type of grant is needed depending
      on the authentication mechanisms in place on the back end.
      
      On the back end:
      
      - Introduce a dependency on a brand new library, pyramid-oauthlib, to
        make this code cleaner and more modular.
      - Simplify our session by removing multiple signin code that was not
        ever fully realized; personas are no longer explicitly maintained in
        the session by application code.
      - The Pyramid SessionAuthenticationPolicy is put into place as part of
        h.auth.local. A SessionGrant is configured as the default grant type
        for integration via pyramid-oauthlib. This is what interprets the
        assertion sent in our token request. For other use cases, this might
        be a real BrowserID assertion or a session or refresh token of some
        other kind. This assertion is just the CSRF token our forms have been
        returning already.
      - `h#includeme` and `h#create_app` got some superficial simplification.
      - `h.api#authorize` handler for annotator-store authorizations now uses
        `request.effective_principals` instead of the session, so it doesn't
        care how the user is authenticated
        - Headers are now passed through on `Store` sub-requests so that both
        the annotator auth token and the session work for store authorizations
        which gets us close to cookie-less API auth!
        - `Consumer` class is moved into `h.auth.local`, removing the SQL
        requirement for core `h` and replacing it with just the requirement to
        register an `IConsumer` implementer.
      
      On the front end:
      
      - Break hypothesis.js into hypothesis.js and hypothesis-auth.js
      - Move session and auth modules into this auth package
      - Clean up the module dependency imports
      - Add an identity module to the auth package with `navigator.id` API
      - Significantly refactor `AppController`
        - Use the `identity.watch()` API to listen to login/logout from the
        active identity module
        - Clean up the login/logout state management a bit
          - Resolve a promise when the API service discovery happens
          - Stop using 'session', which becomes a detail of hypothesis-auth
        - Put much less on the scope from the controller
          - `scope.initUpdater` -> `initUpdater`
          - `scope.reloadAnnotations` -> `initStore`
          - `scope.session` -> replaced by `id`
          - Sorts and views are set in the markup
          - `AuthController` no longers needs to know about `model`, `sheet`,
          `sorts` or `views`
        - Isolate the form models
          - The auth directive now creates an isolate scope so that we're not
          leaking the form models all over the place
          - Stop using the inherited `$scope.model` means prevents submitting
          `persona` as a form parameter by accident
      - blocks.pt#auth-tabs becomes auth.html
        - Easy to override with `config.override_asset()` in Pyramid
        - Keeps the forms inside the isolate scope of the auth directive
      - The content of the sheet moves inside blocks.pt#auth
        - Nothing outside this knows or cares anymore that the sheet has tabs
        - Places where we want to request login use `identity.request()`
        rather than having to get at the root scope. The `authorize` event
        that this broadcasts is an internal detail of the auth pacakage.
      4cf39590
    • Randall Leeds's avatar
      Merge pull request #1372 from hypothesis/site-report-potpourri · 9f30f2e0
      Randall Leeds authored
      Site report potpourri
      9f30f2e0
    • Randall Leeds's avatar
      Improve guard in form validate · 37ff8175
      Randall Leeds authored
      I missed this in b67b2964b7a1fd1271be650ea02cf967fd0e17a3
      37ff8175
  3. 02 Aug, 2014 3 commits
    • Randall Leeds's avatar
      Merge pull request #1373 from hypothesis/1360-scrolling · d3dbfb25
      Randall Leeds authored
      Clean up scrolling and infinite stream
      d3dbfb25
    • gergely-ujvari's avatar
      b2bb7ca8
    • Randall Leeds's avatar
      Clean up scrolling and infinite stream · d2761210
      Randall Leeds authored
      Simplify our efforts around scrolling and fix the scrollbars on the
      stream.
      
      - Scrollbar had crept inside the content on a previous change such
        that scroll bars for the stream were not all the way to the edge
        of the screen. Refactoring the duties of #wrapper and .content.
      - Drop the mousewheel trapping. I tried and looked and researched
        and we can't do this reliably on touch or anything else. It didn't
        seem necessary or worth the dependency on jquery.mousewheel or
        even obviously a good experience. Not worth the code.
      - Fix infinite scroll to use its directive element rather than the
        $window, make its code less jquery, and give it a buffer to smooth
        the experience a bit more.
      
      Fix #1360
      d2761210
  4. 01 Aug, 2014 21 commits
  5. 31 Jul, 2014 10 commits