- 03 Feb, 2017 6 commits
-
-
Robert Knight authored
-
Robert Knight authored
-
Nick Stenning authored
Minify production build and fix prod build in non-ES6 browsers
-
Robert Knight authored
Ensure that NODE_ENV is set to 'production' when building the client for release and thereby ensure that the JS and CSS is minified.
-
Robert Knight authored
We are not currently transpiling client code using Babel, so this doesn't work with our minifier or older browsers.
-
Robert Knight authored
Use new profile update endpoint for dismissing sidebar tutorial
-
- 02 Feb, 2017 6 commits
-
-
Robert Knight authored
-
Robert Knight authored
Explicitly update vinyl-fs's graceful-fs dependency to v3.0.11. graceful-fs v3.0.8 had a dependency on an internal Node module which no longer exists in Node v7. See https://github.com/gulpjs/gulp/issues/1843
-
Robert Knight authored
-
chdorner authored
-
chdorner authored
-
chdorner authored
Make `store.profile` an object containing `read` in preperation for the upcoming changes where we will use the update profile endpoint for updating a user's preferences.
-
- 01 Feb, 2017 8 commits
-
-
Sean Roberts authored
Adding client metric tracking for interactions with annotations
-
Robert Knight authored
In preparation for adding a profile update endpoint, the name of the route for fetching the profile was renamed to 'profile.read'. See https://github.com/hypothesis/h/commit/a3d45a4a4abb5b7b6f899eade5186820340a545c
-
Sean Roberts authored
-
Sean Roberts authored
Verify userid after connecting to WebSocket
-
Robert Knight authored
-
Robert Knight authored
Listen for the 'whoyouare' reply to the 'whoami' request sent after the WebSocket connects and log a warning if the userid does not match the logged-in user for any reason.
-
Robert Knight authored
Show annotation counts on page.
-
Sheetal Umesh Kumar authored
Show annotation count on the page, so that users don't have to open to sidebar to know how many annotations are in the page. Fixes: https://github.com/hypothesis/product-backlog/issues/129
-
- 30 Jan, 2017 5 commits
-
-
Sean Roberts authored
Use access token to authenticate WebSocket connections
-
Sean Roberts authored
* master: Remove auth => session dependency
-
Robert Knight authored
Exchange access token and fetch profile via API when a grant token is provided
-
Robert Knight authored
* Clarify that the service list augments rather than replaces the default list which consists of the public Hypothesis service. * Document the keys of objects in the _services_ array
-
Robert Knight authored
Send a "whoami" request [1] after connecting to query the authenticated user ID for the WS connection. This makes it easy to check that authentication for the WS worked as expected by inspecting the frames of the connection in the devtools. [1] http://h.readthedocs.io/en/latest/realtime/#whoami
-
- 27 Jan, 2017 2 commits
-
-
Robert Knight authored
-
Robert Knight authored
Supply the access token to the WebSocket via a query param. This method is used to send the token because the WebSocket constructor does not allow setting custom headers. See https://github.com/hypothesis/product-backlog/issues/154 for context. An alternative that was tried initially was embedding a username and password in the URL via `wss://user:password@host/` syntax but that turned out not to be supported by IE/Edge and required the server to fail the initial request with a 401 response. Fixes hypothesis/product-backlog#126
-
- 26 Jan, 2017 3 commits
-
-
Sean Roberts authored
* master:
-
Sean Roberts authored
Remove auth => session dependency
-
Robert Knight authored
* Start the clock just _before_ the access token exchange occurs, otherwise the client will incorrectly add the delay between the server sending the token and the client receiving it to the expiry timestamp. * Use performance.now() instead of Date.now() so that expiry checks are not affected by system clock changes. performance.now() is supported on IE >= 10 and all modern browsers.
-
- 25 Jan, 2017 5 commits
-
-
Robert Knight authored
These tests stub the $http service rather than relying on the mock $httpBackend from Angular mocks because that makes it easier to work with native Promises.
-
Robert Knight authored
When the user is on a page using 3rd party accounts but is not logged in, they will not have an access token. In this case, the 'authority' argument provides a way for the service to determine which authority-specific groups and preferences should be included in the returned profile.
-
Robert Knight authored
Document the 'services' config param which the host page may provide to the client.
-
Robert Knight authored
Implement access token and profile retrieval for embedders of the client that provide an OAuth grant token as part of the client's configuration. For a page embedding Hypothesis configured to use a 3rd-party account, the start up flow for the client is: 1. Read service configuration from 'services' array in settings 2. Exchange grant token from service config for an access token using the `POST /api/token` endpoint 3. Fetch profile data using `GET /api/profile` endpoint On startup, the app reads the service config and then switches between either the cookie-based auth implementation or the OAuth-based auth implementation. In future, the cookie-based auth implementation will be removed in favor of OAuth-based auth for first-party accounts as well.
-
Robert Knight authored
Simplify the "auth" service and remove the dependency on the "session" service. This will make it possible to introduce a "store" => "session" dependency in future in order to support fetching the user's profile from the access token-authenticated /api/profile endpoint instead of the cookie-authenticated /app endpoint. The 'auth' service depended on 'session' for three things: - Being able to call `session.load()` in order to retrieve a CSRF token. This token is not needed for the `GET /api/token` endpoint following https://github.com/hypothesis/h/pull/4322 - Calling `session.logout()`. This is fixed by removing the `auth.logout()` endpoint and changing the caller to call `session.logout()` directly instead. `session.logout()` in turn calls `auth.clearCache()` to clear cached API tokens. - Determining the current user ID in order to invalidate the cached token when that changes. The logic to clear the cache has instead been moved to the session service. This commit also adds additional tests for session logout.
-
- 24 Jan, 2017 5 commits
-
-
Sean Roberts authored
-
Sean Roberts authored
-
Robert Knight authored
Add Firefox to valid keys
-
Robert Knight authored
Explicitly add Authorization header to API requests
-
Sean Roberts authored
Only import known config params from the host page
-