0

I'm using oAuth2.

The DataAdapterMixin automatically adds the Authorization header to all Ember Data requests. The session service authorize method can be used to add it to Ajax calls, but how can I ensure the header is added to GET requests made from the browser. I've tried creating a custom authorizer as explained in the docs, but the authorize method is not called.

The my application stores scans of invoices and statements (usually pdfs) which can only be seen by an authorized user. Based on the user's actions, I am changing the data attribute of an object tag.

This

<object data={{attachViewURL}} width="800px" height="1200px">

is rendered as something like this:

<object data="/scans/attachments/11"  width="800px" height="1200px">

This works fine except the authorization.

Any advice would be most appreciated. I'm new to Ember, so if I am going about this the wrong way, please let me know.

Tim Romero
  • 1
  • 2
  • Just checking I understand correctly (as your sample code doesn't really match your question), you effectively want to add "Authorization: Bearer XXXXXXXXXX" to your http header (as per oAuth standards)? – Stephen Wright Dec 03 '15 at 10:50
  • Yes, that's exactly what I meant. For that header to be added on all requests. – Tim Romero Dec 04 '15 at 11:28

2 Answers2

0

In lieu of you answering my comment, i'm just going to put my solution here:

import Ember from 'ember';
import SimpleAuth from 'simple-auth/authorizers/base';

export default SimpleAuth.extend({
    authorize: function(jqXHR) {
        var token = this.get('session.secure.token');
        if (this.get('session.isAuthenticated') && !Ember.isEmpty(token)) {
          jqXHR.setRequestHeader('Authorization: ', 'Bearer ', token);
        }
    },
});

You'll likely want to do a bit more checking etc, but that's pretty much all you need to do to actually set the header; just overriding the authorize function that is built in to ember-simple-auth to set a header once the authorization has passed (As defined by both the session.isAuthenticated boolean and passed token

EDIT:

I forgot that you need to also define that you're using your local authorizer in your simple-auth config (that tripped me up for a while because I assumed that ember-simple-auth would use the overriden local authorizer by default):

ENV['simple-auth'] = {
  authenticationRoute: 'login',
  authorizer: 'authorizer:local',
  session: 'session:user-session',
  routeAfterAuthentication: 'dashboard'
}

I'll try and dig up where I got this from (because the ember-simple-auth docs aren't particularly good at describing self-rolled authorization mechanisms...)

EDIT 2: As marcoow pointed out (and he should know, he wrote ember-simple-auth!), this is pre-1.0 behaviour. The authorizer is now part of the session service, which needs to be injected into the application. See ember-simple-labs pre-1.0 upgrade

Community
  • 1
  • 1
Stephen Wright
  • 2,908
  • 4
  • 19
  • 28
  • Be aware that this only applies to Ember Simple Auth pre 1.0. – marcoow Dec 04 '15 at 11:16
  • Thanks @stephen for taking the time to respond, but it doesn't seem to work. It seems that the authorize method is simply not invoked when the GET is initiated from the browser. – Tim Romero Dec 04 '15 at 11:27
0

The only approach I've managed to get working is to include the access token in the generated URL and then manually authenticate on the back end.

The URL ends up looking something like:

<object  data="/scans/attachments/11?token=a0a59197-afab-438a-b6cf-11237e51a2d5"  width="800px" height="1200px">

I'm not proud of this workaround. It's horrible programming, but it's the only thing I've gotten working so far.

Tim Romero
  • 1
  • 2