kltm
commented
7 years ago Upgraded due to the fact that these are leaking in the wild.
Open kltm opened 7 years ago
kltm
commented
7 years ago Upgraded due to the fact that these are leaking in the wild.
pgaudet
commented
2 years ago As we have more users, this becomes a high priority because it creates confusion - people copy the URL quite frequently to show/share models with colleagues.
kltm
commented
2 years ago I believe this is only functionally an issue in the older codebase. The newer stuff that Tremayne has worked on does a good job of pretty much hiding it.
pgaudet
commented
2 years ago Sure - but people still use the old graph editor, so this is still a problem (unless we plan to retire the graph editor soon??? but I was not aware of that.)
tmushayahama
commented
2 years ago @kltm The code snippet maybe it can help. Most of it vanillaJs APIs besides 'httpClient' and '.subscribe' and be substituted by 'fetch' and 'then' respectively
/* Pass in the barista token, i.e. from the url params. This assumes barista api always works and no error messages */
getUser(baristaTokenParam?: string) {
//Check if there is any in the local storage
const baristaToken = baristaTokenParam ? baristaTokenParam : localStorage.getItem('barista_token');
if (!baristaToken) {
//Log them out
this.baristaToken = null;
this.user = null;
this.onUserChanged.next(this.user);
} else {
// Check if indeed it is a legit token
this.httpClient.get(`${this.baristaUrl}/user_info_by_token/${baristaToken}`)
.subscribe((response: any) => { // you can use promises like then
if (response && response.token) {
//add the token on the local storage
this.user = Contributor.fromResponse(response); //static constructor
this.user.token = this.baristaToken = response.token;
localStorage.setItem('barista_token', this.baristaToken);
} else {
//log them out
this.user = null;
this.baristaToken = null;
localStorage.removeItem('barista_token');
}
this.onUserChanged.next(this.user);// use your way to notify globally
// remove the token on the url you can put this in a finally block in case of error
const url = new URL(window.location.href);
url.searchParams.delete('barista_token');
window.history.replaceState(null, null, url.href);
});
}
}
vanaukenk
commented
1 year ago Just noting here that we had another report of clicking on a bookmarked Noctua URL with no visible token resulting in opening a Noctua instance where a different curator from the one who had clicked on the bookmark was logged in.
I tried the same URL from an email and was taken to the Noctua landing page and wasn't logged in.
I'm not sure how to recreate this issue or test further but wanted to note that this happened more recently.
kltm
commented
1 year ago @vanaukenk Honestly, I think this may be a red herring and something else went on here.
kltm
commented
1 year ago Noting some side conversation at https://github.com/geneontology/noctua/issues/676
Currently, the barista_token argument is exposed in all Noctua URLs once logged in. The main downside here is that users often naively try and share models by copying the whole URL, which causes issues with user and editorial control.
There are several options here, going from most common/sane to the exotic:
It's possible there could be implications depending on how #372 is tackled: cookies or kick--the mechanism may be able to be reused.
We would still have/maintain the option of adding the barista_token in there as an explicit override of the current session--it's just too useful for demonstrations, administrating, hijacking, and switching.