robertfairhead
commented
3 years ago @almathew I'm putting you as my default reviewer. If I should re-assign to Frank, let me know
Closed robertfairhead closed 3 years ago
robertfairhead
commented
3 years ago @almathew I'm putting you as my default reviewer. If I should re-assign to Frank, let me know
almathew
commented
3 years ago I went ahead and swapped Frank to reviewer as semi-suggested, since I have a bit less context anyway
robertfairhead
commented
3 years ago 👍 on the change in reviewer. I need to change it from hard coded "aptible.com" to use the auth rails confit value so it'll work on sandboxes. I'll do that once I'm back from the dentist this morning.
robertfairhead
commented
3 years ago This was tested and confirmed working via https://github.com/aptible/auth-api/pull/417
See: https://aptible.slack.com/archives/C0D7LB6LF/p1611332660036200
The Fridge cookie is used to store a read-only ("sessionized") token. It can then be used to GET the
current_tokenendpoint on auth to get a "manage" scoped token.We are restricting the token to the auth subdomain only so that our users' browsers will not send it to ALL aptible.com subdomains, as it currently does. We are now hosting some aptible subdomains with third-party vendors as well as in customer stacks for Crazylegs. This change will prevent those services from getting access to Aptible tokens through those cookies.
Pulled into auth in: https://github.com/aptible/auth-api/pull/417