isso-comments / isso

a Disqus alternative
https://isso-comments.de
MIT License
5.07k stars 438 forks source link

Support sending custom headers (e.g. session token) in requests from Isso JS client #812

Open antont opened 2 years ago

antont commented 2 years ago

Hi - am using external authentication for users with Isso, because we embedded Isso in a system where already had user info, auth and sessions using bearer tokens.

For the Isso client side requests, like posting a new comment, I needed to add the session token to the requests. I hacked this in one way sort of ok way that works for us, by adding new Isso client param bearer-token-cookie with the name of a cookie. If that is defined, isso/js/app/api.js sets the value of that cookie to the bearer-token header. The commit for that is https://github.com/antont/isso-postgresql/commit/c2fe703f36fa1481fa2148c8b15ddfe69f0de268 (with some little fixes in later ones).

Support for this would be nice to have in Isso upstream, but I figure this would not be the way, but something more generic could do it.

For example, there could be a setting with custom header name, and the name of a client side getter function, that would work for setting any header with whatever logic.

Or perhaps the client lib could provide some way to register a some decorator / callback for customizing requests, in api.js?

Am also open to other proposals. Am doing the actual authentication in a fastapi app, with fastapi-users, where I have a proxy for the Isso API where intercept the requests and inject username, planning to set the avatar there too, and perhaps do other feats related to auth. This is related to the discussion in #240 but a different topic, in my case it seems that simply supporting custom headers in the client would allow using external user auth.

antont commented 2 years ago

Thanks for tagging @ix5 - just a note: AFAIK this does not necessarily affect the server side at all. Now I did it by hacking isso/js/app/api.js only in that commit, and it could be some register-extension / wrapper / custom-headers-setter hook in the js lib. The option is for the script tag in the html, could be used for that or not, also can be just a call in the embedding js to config the header info or so.

Anyway is for custom server side usage and not just a front UI issue or so, that's true.

ix5 commented 2 years ago

All I can say on this topic is that this is a prime example for the need for an extension system, both on the client and on the server.

See https://github.com/posativ/isso/issues/813

For example in the curl() function, we might pass the xhr object into an extension hook that runs before xhr.send(), as well as allow hooking onload().

Also related: https://github.com/posativ/isso/issues/105 and https://github.com/posativ/isso/pull/261