search

OpenClinica / enketo-oc

OpenClinica's fork of the Enketo web forms monorepo
Apache License 2.0
0 stars 1 forks source link

Pass auth token in postMessage from parentWindow #166

Open MartijnR opened 5 years ago

MartijnR commented 5 years ago

look into this

MartijnR commented 5 years ago

OC parentwindow:

const iframe = document.querySelector( 'iframe' );
const enketoUrl = iframe.src
// Send message once the iframe has completely finished loading.
// Pass an object with a `authToken` property
iframe.contentWindow.addEventListener( 'load' , () => {
    iframe.contentWindow.postMessage( { 'authToken': 'abc123' }, enketoUrl );
});

Enketo settings.js

window.addEventListener( 'message', event => {
    if ( event.origin === window.parent.location.origin ) {
        settings.authToken = event.data.authToken;
    }
}, false );
MartijnR commented 5 years ago

@pbowen-oc, I'm wondering if this token authentication is meant to be used only for records and media files belonging to records, or also for the form itself and its resources (data, media)).

pbowen-oc commented 5 years ago

@MartijnR - I think we intended it to be used for all calls so that a user without a valid token could not load a partial view of the form or get to some of the associated files that may contain user lists, data from other forms, etc.

@svadla-oc - Can you comment on how widespread the use of the auth token should be in calls from Enketo?

svadla-oc commented 5 years ago

Yes, all API calls to OC should be authenticated using the token.

MartijnR commented 5 years ago 
"authentication" : {
        "type": "token message",
        "url": "http://example.com/login?return={RETURNURL}"
    }
MartijnR commented 5 years ago

In order to pass the token from the received message from the parentWindow, to the Enketo server so it can be added as bearer Authorization header to each OC request, Enketo stores the token in a cookie (for internal use). This is a plaintext cookie, that will stay valid for 24hrs.

This is ready for testing in develop.

We may have to look into the following outstanding potential issues:

pbowen-oc commented 5 years ago

@svadla-oc - Can you look at Martijn's questions in the previous comment?

svadla-oc commented 5 years ago
  • [ ] should cookie be set to https only (secure=true)

Yes and maybe also set the httpOnly flag to true.

  • [ ] are there implications to users being able read the token value in the cookie?

This is okay since the token is supposed to have a short expiration time.

  • [ ] is the expiry time a problem. We can also let the cookie expire at the end of the session

I think it's better to expire the cookie at the end of the session.

MartijnR commented 3 years ago
MartijnR commented 3 years ago

estimate: up to 5 hours of work

MartijnR commented 1 year ago

@svadla-oc, this is not being used yet at the moment, right? I see an issue here: https://github.com/OpenClinica/enketo-express-oc/issues/581#issuecomment-1252370014 that looks like it is caused by this draft feature.

I'm wondering if I should remove all this code (temporarily) if it won't be used or tested for a while.

svadla-oc commented 1 year ago

@MartijnR yes, we haven't integrated with this yet.

svadla-oc commented 1 year ago

If you remove it, would you plan to add it back in soon? This authentication mechanism is something we would want to integrate with soon so it would be good to have it added back in.

MartijnR commented 1 year ago

Thanks. I think maybe I should just finish it properly then. It looks like there is some outstanding work to do.