- 30 Jan, 2017 1 commit
-
-
Robert Knight authored
* Clarify that the service list augments rather than replaces the default list which consists of the public Hypothesis service. * Document the keys of objects in the _services_ array
-
- 26 Jan, 2017 3 commits
-
-
Sean Roberts authored
* master:
-
Sean Roberts authored
Remove auth => session dependency
-
Robert Knight authored
* Start the clock just _before_ the access token exchange occurs, otherwise the client will incorrectly add the delay between the server sending the token and the client receiving it to the expiry timestamp. * Use performance.now() instead of Date.now() so that expiry checks are not affected by system clock changes. performance.now() is supported on IE >= 10 and all modern browsers.
-
- 25 Jan, 2017 5 commits
-
-
Robert Knight authored
These tests stub the $http service rather than relying on the mock $httpBackend from Angular mocks because that makes it easier to work with native Promises.
-
Robert Knight authored
When the user is on a page using 3rd party accounts but is not logged in, they will not have an access token. In this case, the 'authority' argument provides a way for the service to determine which authority-specific groups and preferences should be included in the returned profile.
-
Robert Knight authored
Document the 'services' config param which the host page may provide to the client.
-
Robert Knight authored
Implement access token and profile retrieval for embedders of the client that provide an OAuth grant token as part of the client's configuration. For a page embedding Hypothesis configured to use a 3rd-party account, the start up flow for the client is: 1. Read service configuration from 'services' array in settings 2. Exchange grant token from service config for an access token using the `POST /api/token` endpoint 3. Fetch profile data using `GET /api/profile` endpoint On startup, the app reads the service config and then switches between either the cookie-based auth implementation or the OAuth-based auth implementation. In future, the cookie-based auth implementation will be removed in favor of OAuth-based auth for first-party accounts as well.
-
Robert Knight authored
Simplify the "auth" service and remove the dependency on the "session" service. This will make it possible to introduce a "store" => "session" dependency in future in order to support fetching the user's profile from the access token-authenticated /api/profile endpoint instead of the cookie-authenticated /app endpoint. The 'auth' service depended on 'session' for three things: - Being able to call `session.load()` in order to retrieve a CSRF token. This token is not needed for the `GET /api/token` endpoint following https://github.com/hypothesis/h/pull/4322 - Calling `session.logout()`. This is fixed by removing the `auth.logout()` endpoint and changing the caller to call `session.logout()` directly instead. `session.logout()` in turn calls `auth.clearCache()` to clear cached API tokens. - Determining the current user ID in order to invalidate the cached token when that changes. The logic to clear the cache has instead been moved to the session service. This commit also adds additional tests for session logout.
-
- 24 Jan, 2017 8 commits
-
-
Sean Roberts authored
-
Sean Roberts authored
-
Robert Knight authored
Add Firefox to valid keys
-
Robert Knight authored
Explicitly add Authorization header to API requests
-
Sean Roberts authored
Only import known config params from the host page
-
Sean Roberts authored
-
Robert Knight authored
Testing code that mixes native promises with $q promises (eg. as returned by $http methods) is a PITA in tests because in that environment: 1. Native promises behave as usual - resolving on the next tick 2. $q promises do not resolve until a digest is triggered explicitly. As a result, causing a promise pipeline involving both types of promises to fully execute is tricky. Sticking to `$q` promises for the moment means that `$httpBackend.flush()` will synchronously flush any resolved promises and HTTP requests. In future we can replace this crap with plain fetch() as part of extracting the Hypothesis API client as a separate entity from the client.
-
Robert Knight authored
-
- 23 Jan, 2017 3 commits
-
-
Sean Roberts authored
Add analytics tracking
-
Sean Roberts authored
-
Robert Knight authored
The previous method of importing config params allowed the host page to override any configuration parameter provided by the service hosting the client's app.html file, potentially introducing vulnerabilities. This PR limits the client to importing only config parameters from a whitelist. This also has the benefit of clearly documenting all the parameters that can come from the host page in one place in the code.
-
- 19 Jan, 2017 3 commits
-
-
Sean Roberts authored
-
Robert Knight authored
Add Google Analytics if settings supply it
-
Sean Roberts authored
-
- 18 Jan, 2017 1 commit
-
-
Robert Knight authored
Remove the global HTTP interceptor provided by angular-jwt which added the Authorization header to API requests and replace it with explicit logic in `createAPICall` to do the same thing. This will enable replacing the JWT tokens with opaque access tokens when using a publisher-provided grant token for authentication. It also provides a more explicit way to only include the access token with requests to the API, rather than filtering based on the URL prefix of the request in the `tokenGetter` implementation. * Remove angular-jwt's HTTP interceptor and replace it with logic in store.js to explicitly fetch an access token using the `auth` module and add an Authorization header to API requests. * Convert standalone functions and global variables in auth.js to methods on the auth service. This will enable swapping out the current auth service implementation which uses cookies + CSRF for authentication with one that uses the OAuth grant token. * Fix several cases in store-test.js where functions that made assertions inside Promise callbacks did not explicitly wait for the Promise to resolve before finishing the test.
-
- 17 Jan, 2017 2 commits
-
-
-
Sean Roberts authored
Separate sidebar and annotation layer
-
- 16 Jan, 2017 7 commits
-
-
Sean Hammond authored
Update shrinkwrap
-
Robert Knight authored
Remove one layer of dir traversal after moving karma.config.js from src/scripts to src/sidebar.
-
Robert Knight authored
All of the templates are part of the sidebar application.
-
Robert Knight authored
Separate out the code for: - The sidebar application (now in src/sidebar) - The annotation layer and client bootstrap (now in src/annotator) - Code shared between the two (now in src/shared)
-
Robert Knight authored
Update the shrinkwrap based on the result of: 1. Removing `node_modules` 2. Re-installing dependencies with `npm install` using the latest npm v3 release (v3.10.10). 3. Running `npm shrinkwrap --dev` The changes are a "dev" key added to all dependencies to signify that they came from "devDependencies" and some additional babel dependencies that were missed in a previous shrinkwrap update.
-
Sean Hammond authored
Simplify client source directory structure
-
Robert Knight authored
-
- 12 Jan, 2017 2 commits
-
-
Robert Knight authored
The previous location was a vestigate of when the client was part of the Hypothesis web service.
-
Robert Knight authored
The 'h/static' directory names are a vestigate from when the client was part of the Hypothesis web service.
-
- 10 Jan, 2017 5 commits
-
-
Robert Knight authored
-
Robert Knight authored
-
Robert Knight authored
Update to latest version of dom-anchor-text-{quote, position} libs
-
Robert Knight authored
-
Robert Knight authored
Adapt to `toRange` returning null in 4.x rather than throwing an exception if the quote is not found and add a test case for quote anchoring failing. See https://github.com/tilgovi/dom-anchor-text-quote/issues/10
-