1. 01 Feb, 2017 8 commits
  2. 30 Jan, 2017 5 commits
  3. 27 Jan, 2017 2 commits
  4. 26 Jan, 2017 3 commits
  5. 25 Jan, 2017 5 commits
    • Robert Knight's avatar
      Add tests for OAuth authentication · eec82fc7
      Robert Knight authored
      These tests stub the $http service rather than relying on the mock
      $httpBackend from Angular mocks because that makes it easier to work
      with native Promises.
      eec82fc7
    • Robert Knight's avatar
      Include 'authority' argument in call to API endpoint · e18c8996
      Robert Knight authored
      When the user is on a page using 3rd party accounts but is not logged
      in, they will not have an access token.
      
      In this case, the 'authority' argument provides a way for the service to
      determine which authority-specific groups and preferences should be
      included in the returned profile.
      e18c8996
    • Robert Knight's avatar
      Whitelist and document the 'services' config param · 2e36d1f1
      Robert Knight authored
      Document the 'services' config param which the host page may provide to
      the client.
      2e36d1f1
    • Robert Knight's avatar
      Implement API token and profile fetching for OAuth clients · c604c0c3
      Robert Knight authored
      Implement access token and profile retrieval for embedders of the client
      that provide an OAuth grant token as part of the client's configuration.
      
      For a page embedding Hypothesis configured to use a 3rd-party account,
      the start up flow for the client is:
      
       1. Read service configuration from 'services' array in settings
      
       2. Exchange grant token from service config for an access token
          using the `POST /api/token` endpoint
      
       3. Fetch profile data using `GET /api/profile` endpoint
      
      On startup, the app reads the service config and then switches between
      either the cookie-based auth implementation or the OAuth-based auth
      implementation.
      
      In future, the cookie-based auth implementation will be removed in favor
      of OAuth-based auth for first-party accounts as well.
      c604c0c3
    • Robert Knight's avatar
      Remove auth => session dependency · 444482ec
      Robert Knight authored
      Simplify the "auth" service and remove the dependency on the
      "session" service. This will make it possible to introduce a "store" =>
      "session" dependency in future in order to support fetching the user's
      profile from the access token-authenticated /api/profile endpoint
      instead of the cookie-authenticated /app endpoint.
      
      The 'auth' service depended on 'session' for three things:
      
       - Being able to call `session.load()` in order to retrieve a CSRF
         token. This token is not needed for the `GET /api/token` endpoint
         following https://github.com/hypothesis/h/pull/4322
      
       - Calling `session.logout()`. This is fixed by removing the
         `auth.logout()` endpoint and changing the caller to call
         `session.logout()` directly instead. `session.logout()` in turn
         calls `auth.clearCache()` to clear cached API tokens.
      
       - Determining the current user ID in order to invalidate
         the cached token when that changes. The logic to clear the
         cache has instead been moved to the session service.
      
      This commit also adds additional tests for session logout.
      444482ec
  6. 24 Jan, 2017 8 commits
  7. 23 Jan, 2017 3 commits
  8. 19 Jan, 2017 3 commits
  9. 18 Jan, 2017 1 commit
    • Robert Knight's avatar
      Fetch access tokens and add Authorization header to API requests · 4b03e69d
      Robert Knight authored
      Remove the global HTTP interceptor provided by angular-jwt which added
      the Authorization header to API requests and replace it with explicit
      logic in `createAPICall` to do the same thing.
      
      This will enable replacing the JWT tokens with opaque access tokens when
      using a publisher-provided grant token for authentication.
      
      It also provides a more explicit way to only include the access token
      with requests to the API, rather than filtering based on the URL prefix
      of the request in the `tokenGetter` implementation.
      
       * Remove angular-jwt's HTTP interceptor and replace it with logic in
         store.js to explicitly fetch an access token using the `auth` module
         and add an Authorization header to API requests.
      
       * Convert standalone functions and global variables in auth.js to
         methods on the auth service. This will enable swapping out the
         current auth service implementation which uses cookies + CSRF
         for authentication with one that uses the OAuth grant token.
      
       * Fix several cases in store-test.js where functions that made
         assertions inside Promise callbacks did not explicitly wait for the
         Promise to resolve before finishing the test.
      4b03e69d
  10. 17 Jan, 2017 2 commits