B) Enhance modal window (BCDC -> GWA)

[BK01]

Enhance the DataBC implementation of swagger-ui (in BCDC) to connect to GWA for authorization

Once GWA service in place, fork extension and enable DBC-APIM to communicate with GWA (developer key request).

[banders]

@ll911 I see that GWA requires users to login before they can generate keys.

When we integrate GWA with swagger-ui, which of these two apps should be responsible for sending the user's credentials?

Does the GWA REST API provide any options for users to obtain access without interacting with the user interface? For example does it allow token-based access (i.e. user exchanges login info for a token, then passes token with each request)? Or does the API only allow login via a user-interface?

[ll911]

@banders when user click the button, they need to click on agree the terms before key created, hence the oauth2 challenge, can you include the ui in a modal window and close it when terms accepted?

[banders]

@ll911 If I understand correctly, we won't be using the built-in swagger-ui "Authorize" functionality for this. Instead, we'll add a new "Get API key" button in swagger-ui, and we'll give it the following behaviour:

1. Make GWA REST API call to get a key. The purpose here is just to test if the user is already logged in. If the response is not HTTP 200 we know the user isn't authenticated yet.

2. If not authenticated, open GWA homepage in a modal window, which will force user to login with github. After login, and still within the modal window, users will also accept terms of use and will click the "Create API Key" button. User closes modal window.

3. When the modal window is closed, another request to the GWA REST API is made, this time to fetch the same API key that was generated in step 2 (we should get an HTTP 200 response time time). The API key will be stored within swagger-ui and will be sent with any requests that are issued.

Does that seem correct?

[ll911]

almost, in step 2, can you chain the event in modal window once "accept term" checked auto close the modal window and pass the authentication header e.g "apikey: XXXXXXXX" or "token: XXXXXXXX" to the API console (step 3),

[banders]

@ll911 I don't quite see how we can autoclose the modal window when some conditions within the GWA UI are met... does GWA provide some mechanism to support this?

[banders]

@ll911 Is it possible to enable CORS on the GWA REST API?

[ll911]

Added.

From: banders notifications@github.com Reply-To: bcgov/DBC-APIM reply@reply.github.com Date: Monday, June 26, 2017 at 11:51 AM To: bcgov/DBC-APIM DBC-APIM@noreply.github.com Cc: "Lou, Leo JTST:EX" Leo.Lou@gov.bc.ca, Mention mention@noreply.github.com Subject: Re: [bcgov/DBC-APIM] B) Enhance modal window (BCDC -> GWA) (#45)

@ll911https://github.com/ll911 Is it possible to enable CORS on the GWA REST API?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/bcgov/DBC-APIM/issues/45#issuecomment-311148838, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ALZU2fp5ajeAMDK4xCYYju5vzker95fDks5sH_2cgaJpZM4MdPk-.

[BK01]

Initial comments:

• Is it possible to use a modal window instead of a pop-up window. User testing revealed issue with pop-up blockers.
• Can modal window appear centred following a click to 'Get API key' button, de-activate background while on (or place over the try it out button), then user is forced to click the 'X' in the modal window. Consequently, no floating or duplicate api key windows.
• The 'Get API Key' button currently needs to be clicked twice to activate the console. Can we either set it to only require one click, or perhaps, have the second click occur by user clicking the X, or close button on the modal window.

[BK01]

Thoughts on modal window. Perhaps the modal window is to be used once a developer has already visited GWA, read the terms and confirmed access to the API via GWA. The terms should only be read / checked once as the the terms apply to all API keys, rather than each API. The modal window is only then used to acquire their existing key while in BCDC. Perhaps a link directly to the GWA instructions (on GitHub) or the GWA homepage itself would be helpful with a label indicating it's required (account setup / terms) prior to attempting to request a key for a specific API. Just a thought...

[BK01]

@BK01 Workflow review (LL + BK), with 2+ use cases, first, repeat.

[banders]

@BK01 @ll911 If we aim to display the GWA login + UI within a same-page modal window (rather than a pop-up window) then I think we would need to do so within an iframe (inside the modal window). The github login screen that GWA uses has an HTTP header "X-Frame-Options" with a value of "deny". This header tells browsers not to allow the github page to be displayed in an iframe. I think this might be a problem for the same-page modal window idea...

[banders]

@BK01 @ll911 I just wanted to document here a plan that was discussed by phone today. Leo will try to apply some gateway magic to remove the github login screen's HTTP header "X-Frame-Options" from within the GWA auth process. Note, it is best to remove the header instead of changing its value.

[BK01]

@banders to investigate if it is possible to create a custom message when a developer has a failed attempt to get a key. The first may be due to the fact that their account has not been added to the respective API group by the API owner. If this is the case, present a message directing the developer to email the contact as listed in the swagger definition.

[banders]

@BK01 @ll911 We have a working version of GWA in a modal window, but we're not quite finished with the custom message in response to the GWA 403 error. I currently expect that part will be finished over the weekend, and I'll be able to deliver on Monday August 31.

[BK01]

Is it possible to remove the horizontal scroll bar from the modal window?

[banders]

@BK01 GWA's "Developer API Key" panel stretches horizontally when opened in a small window (or iframe). That results in horizontal scroll bars. We can't use css within swagger-ui to hide the iframe's scroll bars, but there are other options to eliminate the scroll bars. When showing GWA in a swagger-ui modal, we could make the modal window wide enough to avoid the horizontal scroll bars, but that would require it to be wider than the space permitted by the BCDC template. A better option is to modify GWA to make the UI more friendly to small screens. For our purpose, we need GWA not to require horizontal scrolling in windows of ~450px width.

[BK01]

@banders Thanks. We will look into a modification to GWA to eliminate the scroll bar.

[BK01]

New version of GWA received, to be migrated to TEST (reduced width), and re-tested.

[BK01]

GWA migrated to TEST, modal window re-tested in cad.data successfully. Both horizontal and vertical scroll bars removed.

[BK01]

API key / credential tests to be repeated once all components are pointing to same / parallel environment.