Port digital-utsc work to pass auth token to Cantaloupe. #32
Conversation
| if (!empty(\Drupal::hasService('jwt.authentication.jwt'))) { | ||
| $variables['#attached']['drupalSettings']['token'] = \Drupal::service('jwt.authentication.jwt')->generateToken(); | ||
| } |
There was a problem hiding this comment.
This continues to propagate the issue of time-limited tokens being maintained potentially perpetually in cache: needs the cache metadata to limit how long the templated content could be used.
| }); | ||
|
|
||
| self.addEventListener('fetch', function (event) { | ||
| if (event.request.destination === "image" && new URL(event.request.url).pathname.startsWith('/cantaloupe/iiif/') && new URL(location).searchParams.has('token')) { |
There was a problem hiding this comment.
Not sure the .startsWith('/cantaloupe/iiif') bit here is properly portable? Is into deployment details?
| // do not have authorization or token headers. Attach them using a service worker. | ||
| window.addEventListener('load', () => { | ||
| navigator.serviceWorker | ||
| .register('/islandora_mirador_service_worker?token=' + settings.token, { scope: '/' }) |
There was a problem hiding this comment.
Not sure this is fully portable, with the assumption of the site being directly on the root? As in, if using language or site path prefixing, then should this follow suit? Drupal might expose a helper for this?
| @@ -32,6 +32,11 @@ function islandora_mirador_theme() { | |||
| function template_preprocess_mirador(&$variables) { | |||
| $variables['mirador_view_id'] = Html::getUniqueId($variables['mirador_view_id']); | |||
|
|
|||
| if (!empty(\Drupal::hasService('jwt.authentication.jwt'))) { | |||
| $variables['#attached']['drupalSettings']['token'] = \Drupal::service('jwt.authentication.jwt')->generateToken(); | |||
There was a problem hiding this comment.
This token's TTL needs to be part of the cacheable metadata, right?
| $response = new BinaryFileResponse($file_str, 200); | ||
| $response->headers->set('Content-Type', 'application/javascript'); | ||
| // Allow same origin service worker. | ||
| $response->headers->set('Service-Worker-Allowed', '/'); |
There was a problem hiding this comment.
I'm guessing this HTTP header is the reason we're adding this controller instead of just serving the JS?
scripts/delegates.rb
Outdated
There was a problem hiding this comment.
Does this need to go in the cantaloupe server?
There was a problem hiding this comment.
Yes; although I'm sure it could be slimmed down.
|
Hi @alxp, by any change this PR or the branch https://github.com/Islandora/islandora_mirador/tree/31-auth-token is going to be merged ? Thanks |
|
Hi @kylehuynh205 , My work is not prioritizing making the changes that people in this thread have requested above, so I'm not scheduled to spend any time on it. Since you wrote the code originally, it might be best if you took over this ticket to get it through. The biggest thing that would help might be a way to test an item that should not be visible to anonymous users. This could maybe just be a piece of unpublished content. The ISle chnage to include the access check ruby script would also be helpful. |
What does this Pull Request do?
Ports the work that @kylehuynh205 did to pass along the Islandora Authorization token to every request made by the Mirador viewer to Cantaloupe so Cantaloupe can retrieve images from Fedora or other private locations.
What's new?
The Mirador Viewer wrapper Javascript code now adds the Islandora auth token to the Javascript settings array.
It then adds this token to the Mirador config array.
It also sets up a service worker that adds the auth headers to the image requests that get made to retrieve the thumbnails which are simple img tags.
(i.e. Regeneration activity, etc.)? No
How should this be tested?
Testing instructions to come.
Documentation Status
Additional Notes:
Any additional information that you think would be helpful when reviewing this
PR.
Interested parties
Tag (@ mention) interested parties or, if unsure, @Islandora/committers @kylehuynh205