Don't send long lived API token in the URL for external tools

[scolapasta]

Currently when we go to a tool like TwoRavens, we send the API token in the URL. We needs these such tools to accept the token in the header, and for the dataverse side to send them in the header.

(From Backlog Grooming 1/31) When will make this change, we should support both for a while and then make the change to require it in the header instead of the URL. We should include these messages in the documentation.

[matthew-a-dunlap]

I've been digging into using a header to send the api token during a redirect. A lot of what I'm reading says that when you do a redirect the headers are no longer present (which is also what I've seen from the bit of code I've tested).

"HTTP headers are valid only for the current response. When you set a redirect the current response contains your custom header but when the browser follows the redirect location those headers are no longer present." https://stackoverflow.com/questions/4070430/response-redirect-with-headers

A lot of what I've seen has said to pass the needed data in the url... tho I get why we don't want to do that with our api token. Redirects/requests/response are an area I'm building knowledge on and would appreciate any ideas other folks have!

[pameyer]

~Depending on what's doing the redirect, this might be something that's addressable in the web server config (I've had to do additional configuration for forwarding custom headers for some other cases).~

From conversation, this won't help.

[matthew-a-dunlap]

I discussed a bit more with @pameyer , we think we'll need a different approach than one involving the server config, as our issue is the browser redirecting to an external application.

We discussed digging into redirecting post requests, and I found this forum discussing 307/308 requests as well as a solution using forms to pass information https://softwareengineering.stackexchange.com/questions/99894/why-doesnt-http-have-post-redirect .

Also another another post that says most browser support 307 / 308 but not IE on older browsers https://stackoverflow.com/questions/42703671/which-browsers-support-307-308-redirects-and-how-do-they-handle-them

[matthew-a-dunlap]

Alllso, another stackoverflow with Balus C pretty much saying we can't do what we were hoping with standard jsf redirect: https://stackoverflow.com/questions/31416856/jsf-2-external-redirect-and-add-header-while-re-directing

[matthew-a-dunlap]

There has been a fair amount of discussion around this today. We first looked towards using a 307/308 redirect to post the token to the external domain in request body. This works and will stop users from accidentally copy-pasting their api token to one another in the url. But there are other areas around our use of the API token that could be improved, and we don't want to force multiple updates on to our external applications unless it is required.

In the end it was decided to pull this story out of development for future discussion and design.

[djbrooke]

Note to self - this is a post-MVP OpenDP need and will be more important as we move towards sensitive data support in Dataverse. We should implement more sooner than later.

[djbrooke]

• This is for API communication - no UI impact in this case
• We handle this on APIs for data coming in
• This may require some modifications to previewers/tools and could be a breaking change - would need coordination
• Cookies are likely not an option here because of tools working cross domain (dataverse.harvard.edu to github.io for example)
• We may explore one-time, session based, or short lifespan tokens
• We should revisit this along with the OpenDP team to evaluate the options here

[pdurbin]

Wasn't this delivered by the following pull request?

• 9001

[cmbz]

To focus on the most important features and bugs, we are closing issues created before 2020 (version 5.0) that are not new feature requests with the label 'Type: Feature'.

If you created this issue and you feel the team should revisit this decision, please reopen the issue and leave a comment.