-
Notifications
You must be signed in to change notification settings - Fork 5
Add token refresh flow. #369
Changes from 1 commit
4e08716
0a603ee
03e6cec
42d06c9
2caa387
29b0a21
d770466
834a8da
f3c4e28
3ca3b8c
090cb17
b156158
2a6d6b6
0f925ad
9469307
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,7 +6,7 @@ require('./auth.module.js') | |
var OAuth = require('panoptes-client/lib/oauth'); | ||
|
||
// @ngInject | ||
function authFactory($location, $rootScope, $state, $transitions, AnnotationsFactory, zooAPI, CribsheetFactory) { | ||
function authFactory($location, $rootScope, $state, $transitions, $window, AnnotationsFactory, zooAPI, CribsheetFactory) { | ||
|
||
var factory; | ||
|
||
|
@@ -22,18 +22,22 @@ function authFactory($location, $rootScope, $state, $transitions, AnnotationsFac | |
zooAPI.beforeEveryRequest = function() { | ||
return OAuth.checkBearerToken() | ||
.then(function (token) { | ||
// The Panoptes client doesn't return an error but just null when it can't refresh the token. | ||
// So we check for null, instead of using a catch block. | ||
|
||
if (_user.id && token === null) { | ||
// We are logged in but don't have a token any more. | ||
alert('Your session is expired. Press OK to save your work and start a new one.') | ||
// Save any unsaved work and redirect to Panoptes for a new token. | ||
// AnnotationsFactory.updateCache(); | ||
// OAuth.signIn($location.absUrl()); | ||
return Promise.reject(new Error('HELP!')); | ||
|
||
} | ||
// We catch any request to access the transcribe route. | ||
$transitions.onStart({ to: 'Transcribe'}, function(transition) { | ||
token = $window.sessionStorage.getItem('panoptesClientOAuth_tokenDetails'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Never, ever access the client's storage directly like this. You should always go through There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I added that like because There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Absolutely not. Don't load the client's token directly because a) you don't know what name the client code uses internally to store the token, and this may well change b) the client has a public method defined to get the token for you: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Clearing storage logs your session out, so the client logs you back in if you still have a valid Panoptes session. It doesn't simulate your session having expired. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks for clarify. What's the alternative then? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Set the token There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm confused. If you mean "hack the local copy of the client in node_modules", I'm already doing that; if you don't mean that, I don't know what you mean, sorry. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That's exactly right. Hack the installed copy of oauth.js so that the client checks with Panoptes for a session, rather than using the stored token. Don't forget to block third-party cookies too, since that's the bug you're addressing in this PR. |
||
// The Panoptes client doesn't return an error but just null when it can't refresh the token. | ||
// So we check for null, instead of using a catch block. | ||
if (_user.id && token === null) { | ||
// We're logged in but don't have a token any more. | ||
alert('Your session is expired. Press OK to save your work and start a new one.') | ||
// Save any unsaved work and redirect to Panoptes for a new token. | ||
AnnotationsFactory.updateCache(); | ||
OAuth.signIn($location.absUrl()); | ||
// Abort ui-router state transition | ||
return Promise.reject(new Error('ui-router transition aborted')); | ||
} | ||
} | ||
) | ||
}) | ||
} | ||
}); | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -98,6 +98,6 @@ function TranscribeController($stateParams, $modal, $scope, $window, Annotations | |
if (error === 'outOfData') { | ||
$scope.$broadcast('subject:outOfData'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Did you mean to delete this? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I did, because your pseudo-code didn't use it, so I thought deleting was implied in your comment. Was it not? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That code was an example of how to catch errors in a chain of promises, that's all. What did this line do? It looks, to me, like it notifies when the workflow is out of subjects, or something like that. Won't removing it break SW wherever it listens for this event? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You're right. I've been looking into the same 10 lines for too long. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Mind you, not adding it back in helps with stopping requests... There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If I understand correctly, you're adding it back in like this? loadSubjects()
.catch(handleSubjectError)
.then(loadAggregations)
.catch(handleErrors) in which case What you really want to be doing is interrupting the chain, then handling your errors at the end ie. use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No, I was adding it back like this:
But I think it's equivalent. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yep, that's functionally the same as the pseudo-code I posted. A There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should I just remove There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I read that. That's why I said they are equivalent. |
||
} | ||
console.log('Oh no: ', error) | ||
console.log(error); | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens here if my session expires while I'm navigating to a different page, such as the home page, or if I'm already transcribing when my session expires (which is the most likely scenario)? Correct me if I'm wrong, but this block looks like it only checks if I'm still logged in when I'm about to load the transcription page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right. Removing the
Transcribe
restriction will take care of navigating e.g. from/transcribe
to home/
. However, if my session expires while I'm transcribing and I clickI'm done
, it'll just look like I'm still logged in and new subject will be served, which isn't right. I'll have to catch the event too.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You want to check for a valid token before every API request anyway, so just remove this check.