-
Notifications
You must be signed in to change notification settings - Fork 5
Add token refresh flow. #369
Changes from 14 commits
4e08716
0a603ee
03e6cec
42d06c9
2caa387
29b0a21
d770466
834a8da
f3c4e28
3ca3b8c
090cb17
b156158
2a6d6b6
0f925ad
9469307
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,18 +6,41 @@ require('./auth.module.js') | |
var OAuth = require('panoptes-client/lib/oauth'); | ||
|
||
// @ngInject | ||
function authFactory($interval, $timeout, $location, $window, localStorageService, ModalsFactory, zooAPI, zooAPIConfig, CribsheetFactory, $rootScope) { | ||
function authFactory($location, $rootScope, $state, $transitions, $window, AnnotationsFactory, zooAPI, CribsheetFactory) { | ||
|
||
var factory; | ||
|
||
var _user = {}; | ||
|
||
OAuth.checkCurrent() | ||
.then(function (user) { | ||
if (user) { | ||
_setUserData(); | ||
} | ||
}); | ||
.then(function (user) { | ||
if (user) { | ||
_setUserData(); | ||
} | ||
}) | ||
.then(function() { | ||
zooAPI.beforeEveryRequest = function() { | ||
return OAuth.checkBearerToken() | ||
.then(function (token) { | ||
// We catch any request to access the transcribe route. | ||
$transitions.onStart({ to: 'Transcribe'}, function(transition) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What happens here if my session expires while I'm navigating to a different page, such as the home page, or if I'm already transcribing when my session expires (which is the most likely scenario)? Correct me if I'm wrong, but this block looks like it only checks if I'm still logged in when I'm about to load the transcription page. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You're right. Removing the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You want to check for a valid token before every API request anyway, so just remove this check. |
||
token = $window.sessionStorage.getItem('panoptesClientOAuth_tokenDetails'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Never, ever access the client's storage directly like this. You should always go through There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I added that like because There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Absolutely not. Don't load the client's token directly because a) you don't know what name the client code uses internally to store the token, and this may well change b) the client has a public method defined to get the token for you: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Clearing storage logs your session out, so the client logs you back in if you still have a valid Panoptes session. It doesn't simulate your session having expired. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks for clarify. What's the alternative then? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Set the token There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm confused. If you mean "hack the local copy of the client in node_modules", I'm already doing that; if you don't mean that, I don't know what you mean, sorry. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That's exactly right. Hack the installed copy of oauth.js so that the client checks with Panoptes for a session, rather than using the stored token. Don't forget to block third-party cookies too, since that's the bug you're addressing in this PR. |
||
// The Panoptes client doesn't return an error but just null when it can't refresh the token. | ||
// So we check for null, instead of using a catch block. | ||
if (_user.id && token === null) { | ||
// We're logged in but don't have a token any more. | ||
alert('Your session is expired. Press OK to save your work and start a new one.') | ||
// Save any unsaved work and redirect to Panoptes for a new token. | ||
AnnotationsFactory.updateCache(); | ||
OAuth.signIn($location.absUrl()); | ||
// Abort ui-router state transition | ||
return Promise.reject(new Error('ui-router transition aborted')); | ||
} | ||
} | ||
) | ||
}) | ||
} | ||
}); | ||
|
||
factory = { | ||
signIn: signIn, | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -77,8 +77,9 @@ function TranscribeController($stateParams, $modal, $scope, $window, Annotations | |
|
||
function loadSubject() { | ||
return SubjectsFactory.$getData($stateParams.subjectSet) | ||
.then(subjectLoaded, subjectLoadError) | ||
.then(loadAggregations); | ||
.then(subjectLoaded) | ||
.then(loadAggregations) | ||
.catch(handleErrors); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is catching any errors in |
||
} | ||
|
||
function openTutorial() { | ||
|
@@ -93,12 +94,10 @@ function TranscribeController($stateParams, $modal, $scope, $window, Annotations | |
vm.subject = SubjectsFactory.current; | ||
} | ||
|
||
function subjectLoadError(result) { | ||
if (result === 'outOfData') { | ||
function handleErrors(error) { | ||
if (error === 'outOfData') { | ||
$scope.$broadcast('subject:outOfData'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Did you mean to delete this? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I did, because your pseudo-code didn't use it, so I thought deleting was implied in your comment. Was it not? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That code was an example of how to catch errors in a chain of promises, that's all. What did this line do? It looks, to me, like it notifies when the workflow is out of subjects, or something like that. Won't removing it break SW wherever it listens for this event? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You're right. I've been looking into the same 10 lines for too long. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Mind you, not adding it back in helps with stopping requests... There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If I understand correctly, you're adding it back in like this? loadSubjects()
.catch(handleSubjectError)
.then(loadAggregations)
.catch(handleErrors) in which case What you really want to be doing is interrupting the chain, then handling your errors at the end ie. use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No, I was adding it back like this:
But I think it's equivalent. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yep, that's functionally the same as the pseudo-code I posted. A There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should I just remove There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I read that. That's why I said they are equivalent. |
||
} else { | ||
console.error('Error loading subject', result); | ||
} | ||
console.log(error); | ||
} | ||
|
||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,6 @@ | ||
'use strict'; | ||
|
||
module.exports = require('angular') | ||
.module('app.zooapi', []); | ||
.module('app.zooapi', [ | ||
'app.transcribe.annotations' | ||
]); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This will also need to be reverted if token check is done in |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -66,7 +66,7 @@ function buildScript(file) { | |
.pipe(gulpif(createSourcemap, sourcemaps.init())) | ||
.pipe(gulpif(global.isProd, streamify( | ||
uglify({ | ||
compress: { drop_console: true } | ||
compress: { } // leave console.log in prod, for testing | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This change should be reverted before this is merged to master. |
||
}) | ||
.on('error', handleErrors) | ||
))) | ||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we want to keep these whitespace changes only?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes please
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is the indenting at 4 spaces?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because it was like that when I started working on this app and it was too late when I realised I could change it. It annoys me every time I work on it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok - this PR has the change in whitespace here it seems unrelated and that's why i'm confused by it. It's not blocking for sure, just this PR is adding spacing to a function for some reason...