Request tokens ignored on dev/qa servers if portal URL and UserSession.portal don't match #583
Comments
|
I think I just ran into this issue, due to a scheme mismatch. However, I don't think the issue is limited to the dev/qa environments. My UserSession.portal had an Should the comparison ignore the scheme? Edit: for example, see https://services8.arcgis.com/Q1W9j3Lr1BaxMiWi/arcgis/rest/info?f=json |
|
I receive the The portal in session is the org URL: beijing.mapsdevext.arcgis.com, and the feature service URL is: servicedev.arcgis.com. I think these 2 URLs should be considered as federated. |
|
If your portal was production org, then I believe it would pass this test and the user's token current would be used (or refreshed if needed): arcgis-rest-js/packages/arcgis-rest-auth/src/UserSession.ts Lines 726 to 728 in b956d91 This fails in your case b/c your portal is a devext org and fails this test: arcgis-rest-js/packages/arcgis-rest-auth/src/UserSession.ts Lines 78 to 81 in b956d91 We could modify that test to allow for dev/qa environments like: /^https?:\/\/(?:[a-z0-9-]+\.maps(?:devext|qaext)?)?.\arcgis\.com\/sharing\/rest/.test('https://beijing.mapsdevext.arcgis.com/sharing/rest') // trueHowever, my concern is that the arcgis-rest-js/packages/arcgis-rest-auth/src/UserSession.ts Lines 68 to 71 in b956d91 What that means is that we currently allow passing prod tokens to dev/qa servers, and if we were to open up In other words, I think we want to re-work the logic to be: "if the users's portal is either AGO itself or an AGO org for a given environment, AND the (server or portal API) URL is from the same AGO environment, then use or refresh the user's current token" @patrickarlt do you agree? |
|
Hm... Now that I think about it, wonder if we can distinguish between the various environements of hosted server URLs. In other words, are dev servers always |
|
Ha! related: |
|
To clarify, my concer above is not so much that it's insecure to send a token from one ArcGIS Online environment to another (i.e. a dev token to a prod server), it's that the token will be invalid. |
|
Look at some services, it seems the hosted service in dev is |
FWIW, when I was helping the ArcGIS Urban folks a few months back they had a dev enviorment in which attempting to create a hosted feature service using the admin API with one specific name resulted in a production url (because there was an orphaned service definition of the same name on 'servicesdev'). I'd call that an edge-edge case though. ArcGIS REST JS is probably safe to expect the pattern. I guess I'm just bringing my own experience up to mention that logging the result of your expectations if things go pear shaped as a breadcrumb wouldn't be a waste of time. |
|
I think this is happening in 2 similar but different cases because unless the URL passes the tests in https://github.com/Esri/arcgis-rest-js/blob/master/packages/arcgis-rest-auth/src/UserSession.ts#L725-L729 the This means that the following cases fail to federate:
@tomwayson has the right solution since we cant consider devext to be federated with production or vica versa so you would have to:
The alternative would be to modify https://github.com/Esri/arcgis-rest-js/blob/master/packages/arcgis-rest-auth/src/UserSession.ts#L826 with new tests to make sure that things like |
I thought about that, and it does seem easier. However, my concern there is that our apps would be using different auth flows in dev/qa enviroments than prod environments. I think checking the conditions you enumerated are the best way to go. |
When using
requestwith ArcGIS Online Dev/QA environments, a token will not be added to the request unless theportalURL matches the authenticationUserSession.portal.The dev/qa
owningSystemUrlis not recognized as a ArcGIS Online serverhttps://github.com/Esri/arcgis-rest-js/blob/master/packages/arcgis-rest-auth/src/UserSession.ts#L826
The text was updated successfully, but these errors were encountered: