Right now we store jwt token in browser localstore after login. So our authentication process would look like this:
User opens restricted url (for ex, private package)
Server delivers some blank page with a js script
Script is executed in the browser, retrieves token from localstore
Script call the server again to fetch actual page content, but now adds retieved token to the request header.
Server checks that token is valid, user exists and authorized to acceess the data.
Server responds with actual restircted page content.
Not only this creates double reoundrip to the server and percieved slowness of the pageload, but also it is complicated to implement correctly and just a bad design.
We can get rid of extra roundtrip if we store the auth credentials in the cookies. We can store jwt there, but it will be much harder to implement than using ready solutions like flask-login or flask-security,
Right now we store jwt token in browser localstore after login. So our authentication process would look like this:
Not only this creates double reoundrip to the server and percieved slowness of the pageload, but also it is complicated to implement correctly and just a bad design.
We can get rid of extra roundtrip if we store the auth credentials in the cookies. We can store jwt there, but it will be much harder to implement than using ready solutions like flask-login or flask-security,
Acceptance criteria
Tasks
Analysis
Exploring the code history, this issue was fixed back in march in this commit https://github.com/frictionlessdata/dpr-api/commit/5fe695f131656c0bd87cc05537470ffe053c4251
To be exact adding the
get_user_from_cookie()
method to__init__.py
.Also see discussion here https://github.com/frictionlessdata/dpr-api/issues/292