Closed glpatcern closed 4 years ago
A general comment: most of the code did not really change and was only moved around. Apart addressing the remarks, we need to discuss if we want to drop the allowedclients
logic as with Reva the authentication relies on both a shared secret and the TokenHeader
, both non-guessable.
To match https://github.com/cs3org/cs3apis/pull/75, this implements a new
/wopi/iop/open
endpoint with the following arguments: Required headers:Authorization: Bearer
and the shared Reva/WOPI secretTokenHeader
: an x-access-token to serve as user identity towards RevaQuery parameters:
VIEW_MODE_VIEW_ONLY
,VIEW_MODE_READ_ONLY
,VIEW_MODE_READ_WRITE
, defaults toVIEW_MODE_READ_ONLY
The former whitelist mechanism is dropped, given the double protection provided by the required headers.