-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add onetime tokens #214
Add onetime tokens #214
Conversation
Also, It is possible to download files without this system. See This is to display image, but could also be used the same way to download it. |
Out of curiosity, what is the use case for the onetime single token? |
You can do this, and for images is makes sense where you want to do things like prefetch. But for normal files it forces the browser to buffer the entire file in ram (bad idea). A normal download streams the file |
Pretty much any time you want to download a file (that isn't an image where you might use an XHR request), say an mtz might be 50-100mb. When the browser downloads a file you can't send an authorisation header so you need to do something else. You don't want to append the JWT in the query params because this has relatively long validity and if stolen can be used to impersonate the user. These tokens can only be used once and expire on a short time scale if not used (10s, could be shorter) |
Okay, then it makes sense to have both possibilities. |
Codecov Report
@@ Coverage Diff @@
## beamline-groups-permissions #214 +/- ##
===============================================================
+ Coverage 75.26% 75.31% +0.05%
===============================================================
Files 80 81 +1
Lines 2903 2974 +71
===============================================================
+ Hits 2185 2240 +55
- Misses 718 734 +16
Continue to review full report at Codecov.
|
4d8e16c
to
cdb03e7
Compare
3764ee9
to
c5efb2f
Compare
c5efb2f
to
c083782
Compare
8b2d3c8
to
4232586
Compare
Adds onetime tokens to allow the client to download files from the api. Urls are signed and a unique token generated which is stored in the db. This can be used a single time to download the signed url, and otherwise expire on a short timescale (10s)
to be merged after #203