Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Port digital-utsc work to pass auth token to Cantaloupe. #32

Draft
wants to merge 5 commits into
base: 2.x
Choose a base branch
from

Conversation

alxp
Copy link
Contributor

@alxp alxp commented Sep 15, 2023

What does this Pull Request do?

Ports the work that @kylehuynh205 did to pass along the Islandora Authorization token to every request made by the Mirador viewer to Cantaloupe so Cantaloupe can retrieve images from Fedora or other private locations.

What's new?

The Mirador Viewer wrapper Javascript code now adds the Islandora auth token to the Javascript settings array.

It then adds this token to the Mirador config array.

It also sets up a service worker that adds the auth headers to the image requests that get made to retrieve the thumbnails which are simple img tags.

  • Does this change add any new dependencies? No
  • Does this change require any other modifications to be made to the repository
    (i.e. Regeneration activity, etc.)? No
  • Could this change impact execution of existing code? No

How should this be tested?

Testing instructions to come.

Documentation Status

  • Does this change existing behaviour that's currently documented? No
  • Does this change require new pages or sections of documentation? Yes
  • Who does this need to be documented for? Developers, site owners
  • Associated documentation pull request(s): ___ or documentation issue ___

Additional Notes:

Any additional information that you think would be helpful when reviewing this
PR.

Interested parties

Tag (@ mention) interested parties or, if unsure, @Islandora/committers @kylehuynh205

Comment on lines +35 to +37
if (!empty(\Drupal::hasService('jwt.authentication.jwt'))) {
$variables['#attached']['drupalSettings']['token'] = \Drupal::service('jwt.authentication.jwt')->generateToken();
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This continues to propagate the issue of time-limited tokens being maintained potentially perpetually in cache: needs the cache metadata to limit how long the templated content could be used.

});

self.addEventListener('fetch', function (event) {
if (event.request.destination === "image" && new URL(event.request.url).pathname.startsWith('/cantaloupe/iiif/') && new URL(location).searchParams.has('token')) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure the .startsWith('/cantaloupe/iiif') bit here is properly portable? Is into deployment details?

// do not have authorization or token headers. Attach them using a service worker.
window.addEventListener('load', () => {
navigator.serviceWorker
.register('/islandora_mirador_service_worker?token=' + settings.token, { scope: '/' })
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure this is fully portable, with the assumption of the site being directly on the root? As in, if using language or site path prefixing, then should this follow suit? Drupal might expose a helper for this?

@@ -32,6 +32,11 @@ function islandora_mirador_theme() {
function template_preprocess_mirador(&$variables) {
$variables['mirador_view_id'] = Html::getUniqueId($variables['mirador_view_id']);

if (!empty(\Drupal::hasService('jwt.authentication.jwt'))) {
$variables['#attached']['drupalSettings']['token'] = \Drupal::service('jwt.authentication.jwt')->generateToken();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This token's TTL needs to be part of the cacheable metadata, right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty much.

$response = new BinaryFileResponse($file_str, 200);
$response->headers->set('Content-Type', 'application/javascript');
// Allow same origin service worker.
$response->headers->set('Service-Worker-Allowed', '/');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm guessing this HTTP header is the reason we're adding this controller instead of just serving the JS?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to go in the cantaloupe server?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes; although I'm sure it could be slimmed down.

@adam-vessey adam-vessey marked this pull request as draft August 7, 2024 17:15
@kylehuynh205
Copy link

Hi @alxp, by any change this PR or the branch https://github.com/Islandora/islandora_mirador/tree/31-auth-token is going to be merged ? Thanks

@alxp
Copy link
Contributor Author

alxp commented Oct 16, 2024

Hi @kylehuynh205 , My work is not prioritizing making the changes that people in this thread have requested above, so I'm not scheduled to spend any time on it. Since you wrote the code originally, it might be best if you took over this ticket to get it through.

The biggest thing that would help might be a way to test an item that should not be visible to anonymous users. This could maybe just be a piece of unpublished content. The ISle chnage to include the access check ruby script would also be helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants