Open MartijnR opened 5 years ago
OC parentwindow:
const iframe = document.querySelector( 'iframe' );
const enketoUrl = iframe.src
// Send message once the iframe has completely finished loading.
// Pass an object with a `authToken` property
iframe.contentWindow.addEventListener( 'load' , () => {
iframe.contentWindow.postMessage( { 'authToken': 'abc123' }, enketoUrl );
});
Enketo settings.js
window.addEventListener( 'message', event => {
if ( event.origin === window.parent.location.origin ) {
settings.authToken = event.data.authToken;
}
}, false );
@pbowen-oc, I'm wondering if this token authentication is meant to be used only for records and media files belonging to records, or also for the form itself and its resources (data, media)).
@MartijnR - I think we intended it to be used for all calls so that a user without a valid token could not load a partial view of the form or get to some of the associated files that may contain user lists, data from other forms, etc.
@svadla-oc - Can you comment on how widespread the use of the auth token should be in calls from Enketo?
Yes, all API calls to OC should be authenticated using the token.
"authentication" : {
"type": "token message",
"url": "http://example.com/login?return={RETURNURL}"
}
In order to pass the token from the received message from the parentWindow, to the Enketo server so it can be added as bearer Authorization header to each OC request, Enketo stores the token in a cookie (for internal use). This is a plaintext cookie, that will stay valid for 24hrs.
This is ready for testing in develop
.
We may have to look into the following outstanding potential issues:
@svadla-oc - Can you look at Martijn's questions in the previous comment?
- [ ] should cookie be set to https only (secure=true)
Yes and maybe also set the httpOnly flag to true.
- [ ] are there implications to users being able read the token value in the cookie?
This is okay since the token is supposed to have a short expiration time.
- [ ] is the expiry time a problem. We can also let the cookie expire at the end of the session
I think it's better to expire the cookie at the end of the session.
estimate: up to 5 hours of work
@svadla-oc, this is not being used yet at the moment, right? I see an issue here: https://github.com/OpenClinica/enketo-express-oc/issues/581#issuecomment-1252370014 that looks like it is caused by this draft feature.
I'm wondering if I should remove all this code (temporarily) if it won't be used or tested for a while.
@MartijnR yes, we haven't integrated with this yet.
If you remove it, would you plan to add it back in soon? This authentication mechanism is something we would want to integrate with soon so it would be good to have it added back in.
Thanks. I think maybe I should just finish it properly then. It looks like there is some outstanding work to do.
look into this