🐛 Post-based identity bug fix #21533
Conversation
Change-Id: If62f3e30fc6610e454c388751a19775b1c920aba
Change-Id: I6f879df5d908045585fe5d30d744ddfcd9e48d86
Change-Id: Ib05f5620fbbcb565b466574b819476d74cb9ba8a
Change-Id: Ia8be818ae853973d8ff362bed1bb39a5d36d480c
| * @param {!Element} element | ||
| * @return {!Promise<string|undefined>} | ||
| */ | ||
| export function getViewerAuthTokenIfAvailable(win, element) { | ||
| export function getViewerAuthTokenIfAvailable(element) { |
There was a problem hiding this comment.
An alternative fix is to resolve with empty string instead of undefined, and then change the check in batchFetchJsonFor to compare against undefined instead of truthy. I.e.
return Services.viewerAssistanceForDocOrNull(element).then(va => {
userAssert(va, 'crossorigin="amp-viewer-auth-token-post" requires amp-viewer-assistance extension.');
return va.getIdTokenPromise();
}).then(token => token || '').catch(() => ''); // Return empty string if token is not available.This preserves the current semantics by keeping the "crossorigin" attribute encapsulated in this helper function. WDYT?
There was a problem hiding this comment.
I am okay with having the token return an empty string instead of undefined without a token, but it's important to still transform the request without a token based on the presence of the crossorigin attribute -- not the identity token.
If I'm understanding your proposal correctly, the token would only be undefined in cases where getViewerAuthTokenIfAvailable isn't called at all. However, getViewerAuthTokenIfAvailable will always be called in amp-state and amp-list before being passed to the batched-json call, so it will always transform the request into a POST because the opt_token !== undefined.
There was a problem hiding this comment.
Here's a clearer snippet of what I'm suggesting:
if (crossOriginAttr
&& crossOriginAttr.trim() === 'amp-viewer-auth-token-via-post') {
return Services.viewerAssistanceForDocOrNull(element).then(va => {
userAssert(va, 'crossorigin="amp-viewer-auth-token-post" '
+ 'requires amp-viewer-assistance extension.');
return va.getIdTokenPromise();
})
// If crossorigin attribute is present, resolve with token or empty string.
.then(token => token || '').catch(() => '');
}
// If crossorigin attribute is missing, always resolve with undefined.
return Promise.resolve(undefined);Would that work?
There was a problem hiding this comment.
Ah yes, that makes sense. This solution should work! Thanks.
There was a problem hiding this comment.
Just made the changes and added some tests. Thanks for the suggestion!
Change-Id: I9f9aab8d87e0cffe273072b3409c6cb40d2d1e4d
…-fix Change-Id: I791d22fef6876cebfcc150a1298d9c2daea65f31
Change-Id: I3e39fe0dbd2d2dc74404d603c3460e750d07be19
|
Looks great. |
Bug fix
Fix a bug with POST based identity request using
batched-xhr. In Pull Request (#21107), I mistakenly removed thecrossoriginattribute check in thebatchFetchJsonForin favor of checking for the identity token. See this discussion.Expected behavior: Adding the
crossorigin="amp-viewer-auth-token-via-post"attribute toamp-state,amp-list&-formshould transform the request to POST and attach the viewer identity token.Current behavior: Without an identity token,
amp-stateandamp-listwill send a GET request regardless of the presence of thecrossoriginattribute.Proposed solution: When the
crossoriginattribute is present on the remote xhr extension, the request should always be transformed into a POST request. Without an identity token, an empty token will be sent instead.Additional Clean Up
getViewerAuthTokenIfAvailablein the newxhr-utilstests.windowargument fromgetViewerAuthTokenIfAvailableas requested here.cc @choumx