1. 06 Feb, 2017 1 commit
  2. 03 Feb, 2017 8 commits
  3. 02 Feb, 2017 6 commits
  4. 01 Feb, 2017 8 commits
  5. 30 Jan, 2017 5 commits
  6. 27 Jan, 2017 2 commits
  7. 26 Jan, 2017 3 commits
  8. 25 Jan, 2017 5 commits
    • Robert Knight's avatar
      Add tests for OAuth authentication · eec82fc7
      Robert Knight authored
      These tests stub the $http service rather than relying on the mock
      $httpBackend from Angular mocks because that makes it easier to work
      with native Promises.
      eec82fc7
    • Robert Knight's avatar
      Include 'authority' argument in call to API endpoint · e18c8996
      Robert Knight authored
      When the user is on a page using 3rd party accounts but is not logged
      in, they will not have an access token.
      
      In this case, the 'authority' argument provides a way for the service to
      determine which authority-specific groups and preferences should be
      included in the returned profile.
      e18c8996
    • Robert Knight's avatar
      Whitelist and document the 'services' config param · 2e36d1f1
      Robert Knight authored
      Document the 'services' config param which the host page may provide to
      the client.
      2e36d1f1
    • Robert Knight's avatar
      Implement API token and profile fetching for OAuth clients · c604c0c3
      Robert Knight authored
      Implement access token and profile retrieval for embedders of the client
      that provide an OAuth grant token as part of the client's configuration.
      
      For a page embedding Hypothesis configured to use a 3rd-party account,
      the start up flow for the client is:
      
       1. Read service configuration from 'services' array in settings
      
       2. Exchange grant token from service config for an access token
          using the `POST /api/token` endpoint
      
       3. Fetch profile data using `GET /api/profile` endpoint
      
      On startup, the app reads the service config and then switches between
      either the cookie-based auth implementation or the OAuth-based auth
      implementation.
      
      In future, the cookie-based auth implementation will be removed in favor
      of OAuth-based auth for first-party accounts as well.
      c604c0c3
    • Robert Knight's avatar
      Remove auth => session dependency · 444482ec
      Robert Knight authored
      Simplify the "auth" service and remove the dependency on the
      "session" service. This will make it possible to introduce a "store" =>
      "session" dependency in future in order to support fetching the user's
      profile from the access token-authenticated /api/profile endpoint
      instead of the cookie-authenticated /app endpoint.
      
      The 'auth' service depended on 'session' for three things:
      
       - Being able to call `session.load()` in order to retrieve a CSRF
         token. This token is not needed for the `GET /api/token` endpoint
         following https://github.com/hypothesis/h/pull/4322
      
       - Calling `session.logout()`. This is fixed by removing the
         `auth.logout()` endpoint and changing the caller to call
         `session.logout()` directly instead. `session.logout()` in turn
         calls `auth.clearCache()` to clear cached API tokens.
      
       - Determining the current user ID in order to invalidate
         the cached token when that changes. The logic to clear the
         cache has instead been moved to the session service.
      
      This commit also adds additional tests for session logout.
      444482ec
  9. 24 Jan, 2017 2 commits