hazza/dspace-angular
1
0
Fork 1
mirror of https://github.com/DSpace/dspace-angular.git synced 2025-10-08 18:44:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

use GET for shortlivedtoken requests on the server, POST on the client

Browse Source
This commit is contained in:
Art Lowel
2021-04-06 16:45:06 +02:00
parent 72ca74bdf3
commit ff4bd59de0
9 changed files with 238 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/app/core/auth/auth-request.service.ts
View File

@@ -1,14 +1,9 @@
import { Observable } from 'rxjs';
import { distinctUntilChanged, filter, map, mergeMap, switchMap, tap } from 'rxjs/operators';
import { Injectable } from '@angular/core';
import { HALEndpointService } from '../shared/hal-endpoint.service';
import { RequestService } from '../data/request.service';
import { isNotEmpty } from '../../shared/empty.util';
import {
GetRequest,
PostRequest,
RestRequest,
} from '../data/request.models';
import { GetRequest, PostRequest, RestRequest, } from '../data/request.models';
import { HttpOptions } from '../dspace-rest/dspace-rest.service';
import { getFirstCompletedRemoteData } from '../shared/operators';
import { RemoteDataBuildService } from '../cache/builders/remote-data-build.service';
@@ -17,8 +12,10 @@ import { AuthStatus } from './models/auth-status.model';
import { ShortLivedToken } from './models/short-lived-token.model';
import { URLCombiner } from '../url-combiner/url-combiner';
@Injectable()
export class AuthRequestService {
/**
* Abstract service to send authentication requests
*/
export abstract class AuthRequestService {
protected linkName = 'authn';
protected browseEndpoint = '';
protected shortlivedtokensEndpoint = 'shortlivedtokens';
@@ -62,16 +59,26 @@ export class AuthRequestService {
}
/**
* Send a POST request to retrieve a short-lived token which provides download access of restricted files
* Factory function to create the request object to send. This needs to be a POST client side and
* a GET server side. Due to CSRF validation, the server isn't allowed to send a POST, so we allow
* only the server IP to send a GET to this endpoint.
*
* @param href The href to send the request to
* @protected
*/
protected abstract createShortLivedTokenRequest(href: string): GetRequest | PostRequest;
/**
* Send a request to retrieve a short-lived token which provides download access of restricted files
*/
public getShortlivedToken(): Observable<string> {
return this.halService.getEndpoint(this.linkName).pipe(
filter((href: string) => isNotEmpty(href)),
distinctUntilChanged(),
map((href: string) => new URLCombiner(href, this.shortlivedtokensEndpoint).toString()),
map((endpointURL: string) => new PostRequest(this.requestService.generateRequestId(), endpointURL)),
tap((request: PostRequest) => this.requestService.send(request)),
switchMap((request: PostRequest) => this.rdbService.buildFromRequestUUID<ShortLivedToken>(request.uuid)),
map((endpointURL: string) => this.createShortLivedTokenRequest(endpointURL)),
tap((request: RestRequest) => this.requestService.send(request)),
switchMap((request: RestRequest) => this.rdbService.buildFromRequestUUID<ShortLivedToken>(request.uuid)),
getFirstCompletedRemoteData(),
map((response: RemoteData<ShortLivedToken>) => {
if (response.hasSucceeded) {