• Nick Stenning's avatar
    Remove "assertion" GET param from token requests · e0e23bde
    Nick Stenning authored
    When fetching a JWT from the server, the client needs to supply the
    session CSRF token in order to prevent third-party pages from being able
    to fetch and use tokens without the user's permission.
    
    Previously, it was necessary to supply this token in the "assertion" GET
    parameter -- in an attempt to make this look a bit like an OAuth token
    issuance API -- but in Pyramid 1.7 this isn't allowed, and it turns out
    not to be necessary, because Angular's CSRF support retrieves the token
    from an XSRF-TOKEN cookie set in earlier requests and sets the
    X-CSRF-Token request header automatically.
    e0e23bde
Name
Last commit
Last update
..
static Loading commit data...
templates/client Loading commit data...