1. 09 Feb, 2017 4 commits
    • Robert Knight's avatar
      Reuse existing config mechanism for sidebar app URL · d9dca33b
      Robert Knight authored
      Instead of creating a new mechanism for the client's deliverer to set
      the sidebar app URL and asset root, re-use the existing documented
      system for configuring the client.
      
       - Rename 'appHtmlUrl' to 'sidebarAppUrl' to be more obvious to new
         developers.
       - Make `settings.js` usable without a polyfill for Object.assign()
         so that it can be used in the very small boot script.
      d9dca33b
    • Robert Knight's avatar
      Add comment to src/boot/index.js · 5bd185ba
      Robert Knight authored
      Add a comment explaining why the two entry points for the client both
      use the same script.
      5bd185ba
    • Robert Knight's avatar
      Add a new entry point script for the client application · 6abe62d6
      Robert Knight authored
      Add a new bundle (build/boot.js) which serves as the main entry point
      for the client. This entry point will be used in two places:
      
       1. When embedded in a host web page it will add the bundle for the
          annotation layer (injector.bundle.js) to the page plus supporting
          assets.
      
       2. When included as the sole asset in the sidebar's HTML page
          it will add the bundle for the sidebar app (app.bundle.js) to the
          page plus supporting assets.
      
      Having both entry points be a single script means that when it is
      referenced in app.html, the browser will already have it cached locally,
      saving a roundtrip.
      
      In this commit the script just adds all <script> and <link> tags for the
      annotation layer or sidebar to the document. In future it can be made
      smarter - eg. by preloading sidebar assets when loaded in the host page
      and not loading polyfills in newer browsers.
      6abe62d6
    • Robert Knight's avatar
      Merge pull request #220 from hypothesis/cache-access-token-promise-not-access-token · 29af928e
      Robert Knight authored
      Cache access token promise not access token
      29af928e
  2. 08 Feb, 2017 12 commits
    • Sean Hammond's avatar
      Simplify tokenGetter() · e15f5740
      Sean Hammond authored
      e15f5740
    • Sean Hammond's avatar
      Cache access token request promises · dbcb5881
      Sean Hammond authored
      Cache the access token request promise, not just the access token
      itself.
      
      This commit fixes a problem that the client would send multiple concurrent
      access token requests if tokenGetter() was called multiple times before
      a response to any of the HTTP requests was received:
      
      1. tokenGetter() is called, sends an HTTP request for the access token
         and returns a Promise for the access token from the request's response
      
      2. Before the HTTP response is received tokenGetter() is called again,
         sends another HTTP request, returns another Promise.
      
      As soon as one access token response is received then tokenGetter()
      caches the access token and just returns it, doesn't send any more HTTP
      requests, but each time tokenGetter() is called *before the first access
      token response has been received* it sends another, concurrent access
      token request. It does not "know" that it already has an access token
      request in-flight.
      
      The fix is to cache the first access token request Promise when the first
      access token request is sent and then just keep returning that Promise, instead
      of sending more requests:
      
      Instead of caching the access token itself (`cachedToken`) we now cache
      a Promise for the access token (`accessTokenPromise`) the first
      time we send the access token request.
      
      Each further time that `tokenGetter()` is called, if it already has a
      `accessTokenPromise`, then it just returns the Promise and doesn't
      send another HTTP request. It now "knows" that it already has an access
      token request in-flight.
      dbcb5881
    • Robert Knight's avatar
      Merge pull request #219 from hypothesis/dont-reuse-oauth-grant-tokens · 8620bf98
      Robert Knight authored
      Don't reuse OAuth grant tokens
      8620bf98
    • Robert Knight's avatar
      Merge pull request #218 from hypothesis/add-test-for-failed-grant-token-request · 7f75f29e
      Robert Knight authored
      Add test for failed grant token request
      7f75f29e
    • Sean Hammond's avatar
      Add test for failed access token request · 4087de35
      Sean Hammond authored
      4087de35
    • Robert Knight's avatar
      Merge pull request #216 from hypothesis/dont-delete-cached-oauth-access-token · 0e8e035f
      Robert Knight authored
      Don't delete cached OAuth access token
      0e8e035f
    • Sean Hammond's avatar
      Don't cache the OAuth grant token · d0bfcce7
      Sean Hammond authored
      Simplify the oauth-auth service by not caching the grant token in memory
      - it is (now) only used once anyway.
      d0bfcce7
    • Sean Hammond's avatar
      Don't reuse OAuth grant tokens · 4e51fe3e
      Sean Hammond authored
      Don't reuse the OAuth grant token if the access token has expired.
      
      The grant token is only intended to be used once, and if the access
      token has expired then the grant token will likely have expired as well anyway.
      
      A later commit will add support for refreshing an expired access token
      using its refresh token, instead.
      4e51fe3e
    • Sean Roberts's avatar
      Merge pull request #212 from hypothesis/update-docs · 480e1bae
      Sean Roberts authored
      Add examples in docs for sidebar trigger and annotation count display.
      480e1bae
    • Sheetal Umesh Kumar's avatar
    • Sean Hammond's avatar
      Don't call clearCache() when using OAuth · dbf5d781
      Sean Hammond authored
      When using OAuth (the host page provides an embedded grant token) don't
      call auth.clearCache() on session update. The authorized user never
      changes when using OAuth with a grant token embedded in the page, and
      the oauth-auth service's clearCache() is a no-op anyway, so there is no
      point in calling clearCache() here.
      dbf5d781
    • Sean Hammond's avatar
      Don't delete the cached OAuth access token · 0e229735
      Sean Hammond authored
      This fixes an issue that, when the client is embedded on a partner site
      using third-party auth:
      
      1. The client reads grant token that the client embeds in their page
         from the page
      2. The oauth-auth service sends a grant token request, receives back an
         access token which it caches
      3. session.js calls oauth-auth's clearCache(), which deletes the access
         token
      4. The next time the access token is needed the oauth-auth sends a
         second grant token request, with the same grant token, and gets a
         second access token
      
      So two grant token requests are sent, when only one was needed, because
      the cached access token is deleted unnecessarily.
      
      The fix is to make clearCache() in oauth-auth a no-op for now. For now
      it never makes sense for oauth-auth to clear its cached access token.
      OAuth is currently only used when the client is embedded in partner
      sites and the grant token is embedded in the page by the client. Since
      the grant token never changes, there's never any reason to clear the
      access token and request a new one using the same grant token again (you
      would just be requesting a new access token for the same user account).
      0e229735
  3. 06 Feb, 2017 2 commits
  4. 03 Feb, 2017 9 commits
  5. 02 Feb, 2017 6 commits
  6. 01 Feb, 2017 7 commits