Open jonthegeek opened 2 years ago
jonthegeek
commented
2 years ago I think I'd want to pass it in a header. Probably still a good idea to encrypt these tokens, even in the cookies. Of course if the app decrypts them... That doesn't do anything useful, so maybe not?
jonthegeek
commented
2 years ago The beginning of the login is the same regardless, with a "Sign in with Slack" button.
When they return from Slack with a code in the URL, ask if it's ok to set a cookie. If yes, set the cookie like we do now, and reload. If they say no, pass the token <in a secure way TBD, maybe just encoded in the url or in the header?>
Show the cookie warning on the auth code version of the page. If they say no, put their token in the url, and then parse it, I think? See what's recommended. Maybe set it with setenv and then load the ui? I'm not sure I can make that work.
Research token in query string first.