0

I am serving up HTML pages with Aqueduct and I would like the authorization of accessed pages to work without setting manually the authorization header with javascript for each link. How is this done?

The only way I see it is possible is to use a cookie. I tried putting the OAuth Bearer token in a cookie so it gets sent with each request but I get stuck trying to sneak it back from the cookie into the request header (where it is expected by the standard authorizer at the server end) as the request headers are not mutable.

Do I have to write a new authorizer to use the token from the cookie? I have read that one shouldn't use cookies with OAuth at all. So how to do it? Surely I am missing something as this seems to be a common need.

Another idea (still using cookies) is to extract the token from the cookie at the server and forward the request back to the (same) server with the correct authorization header.

What is the way authorization of aqueduct web pages is best handled?

Alan
  • 1
  • 3

1 Answers1

0

The authorization needs to be sent in the header and the browser isn't going to do this for me except by cookie which is not recommended. The answer I came up with is that the html page should be retrieved (minus content) and the content for the web page requested using authorization using js with the authorization header included in the request.

My path forward was to replace the whole web page because i didn't want to change much of what was working. So in a wrapper html page I do this:

    var uri = NEWURI;
    var xhr = new XMLHttpRequest();
    xhr.open('GET', uri);
    xhr.onreadystatechange = handler;
    xhr.responseType = 'text';

    var authorization = localStorage.getItem("authorization"); // setup by by login page
    if (authorization != null)
    {
      xhr.setRequestHeader('Authorization', authorization);
    }
    xhr.send();

and then in the handler I write over the document:

  if (this.readyState === this.DONE) {
    if (this.status === 200) {
      var newHTML = document.open("text/html", "replace"); 
            newHTML.write(this.response); 
            newHTML.close();

    } else if (this.status === 401)
    {

    }
Alan
  • 1
  • 3