-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Port digital-utsc work to pass auth token to Cantaloupe. #32
base: 2.x
Are you sure you want to change the base?
Conversation
if (!empty(\Drupal::hasService('jwt.authentication.jwt'))) { | ||
$variables['#attached']['drupalSettings']['token'] = \Drupal::service('jwt.authentication.jwt')->generateToken(); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This continues to propagate the issue of time-limited tokens being maintained potentially perpetually in cache: needs the cache metadata to limit how long the templated content could be used.
}); | ||
|
||
self.addEventListener('fetch', function (event) { | ||
if (event.request.destination === "image" && new URL(event.request.url).pathname.startsWith('/cantaloupe/iiif/') && new URL(location).searchParams.has('token')) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure the .startsWith('/cantaloupe/iiif')
bit here is properly portable? Is into deployment details?
// do not have authorization or token headers. Attach them using a service worker. | ||
window.addEventListener('load', () => { | ||
navigator.serviceWorker | ||
.register('/islandora_mirador_service_worker?token=' + settings.token, { scope: '/' }) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure this is fully portable, with the assumption of the site being directly on the root? As in, if using language or site path prefixing, then should this follow suit? Drupal might expose a helper for this?
@@ -32,6 +32,11 @@ function islandora_mirador_theme() { | |||
function template_preprocess_mirador(&$variables) { | |||
$variables['mirador_view_id'] = Html::getUniqueId($variables['mirador_view_id']); | |||
|
|||
if (!empty(\Drupal::hasService('jwt.authentication.jwt'))) { | |||
$variables['#attached']['drupalSettings']['token'] = \Drupal::service('jwt.authentication.jwt')->generateToken(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This token's TTL needs to be part of the cacheable metadata, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty much.
$response = new BinaryFileResponse($file_str, 200); | ||
$response->headers->set('Content-Type', 'application/javascript'); | ||
// Allow same origin service worker. | ||
$response->headers->set('Service-Worker-Allowed', '/'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm guessing this HTTP header is the reason we're adding this controller instead of just serving the JS?
scripts/delegates.rb
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this need to go in the cantaloupe server?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes; although I'm sure it could be slimmed down.
Hi @alxp, by any change this PR or the branch https://github.com/Islandora/islandora_mirador/tree/31-auth-token is going to be merged ? Thanks |
Hi @kylehuynh205 , My work is not prioritizing making the changes that people in this thread have requested above, so I'm not scheduled to spend any time on it. Since you wrote the code originally, it might be best if you took over this ticket to get it through. The biggest thing that would help might be a way to test an item that should not be visible to anonymous users. This could maybe just be a piece of unpublished content. The ISle chnage to include the access check ruby script would also be helpful. |
What does this Pull Request do?
Ports the work that @kylehuynh205 did to pass along the Islandora Authorization token to every request made by the Mirador viewer to Cantaloupe so Cantaloupe can retrieve images from Fedora or other private locations.
What's new?
The Mirador Viewer wrapper Javascript code now adds the Islandora auth token to the Javascript settings array.
It then adds this token to the Mirador config array.
It also sets up a service worker that adds the auth headers to the image requests that get made to retrieve the thumbnails which are simple img tags.
(i.e. Regeneration activity, etc.)? No
How should this be tested?
Testing instructions to come.
Documentation Status
Additional Notes:
Any additional information that you think would be helpful when reviewing this
PR.
Interested parties
Tag (@ mention) interested parties or, if unsure, @Islandora/committers @kylehuynh205