Server does not know if Browser user is logged in or not

[subhankarb]

We are unable to alter server templates and control flow based on the users authentication status if the user is visiting via browser (vs e.g. API)

Problem

we use JWT and store them in localstorage. Since these are not sent as part of the request to the server there is no way for the server to know if user is authenticated.

Solution

We can store jwt inside cookie.

Tasks

• [x] In API auth callback handler return cookie containing jwt - https://github.com/frictionlessdata/dpr-api/blob/master/app/auth/controllers.py#L58
• [x] Retrieve JWT from cookie as well as request header. Right now only retrieve JWT from request header.
• [x] Dashboard: Modify home page method. If JWT present in cookie returns back dashboard page
• [x] Change navbar login/logout button. If JWT present in cookie show logout button else login

Update:

For local setup the cookie is setting up perfectly inside the domain http://localhost:5000. But this is not working for our staging environment. The main cause is that, we use lambda which runs behind API-Gateway. So flask by default sets the cookie for API-gateway’s URL that is {hash}.dpr.amazon.{zone}

Solution

Set cookie specifically for staging.datapackaged.com. We can force cookie to be read only for this domain by resp.set_cookie('jwt', jwt_helper.encode(), domain='staging.datapackaged.com')

Tasks

• [ ] Make domain name configurable.
  • [ ] Put extra configuration for DOMAIN_NAME in .env file
• [ ] Change set cookie method

[subhankarb]

Cookie is not persisting for https://staging.datapackaged.com. It works for local environment.

[Fak3]

fixes #232

[subhankarb]

@rufuspollock This is working right now. We moved from AWS lambda to heroku. Previously the cookie was not persisting for staging.datapackaged.com, as the source domain name was changing in API-Gateway. The intermediate domain change is not happening now. So now cookie is storing for domain staging.datapackaged.com in browser cookie store.