Add ssl flag #332
Add ssl flag #332
Conversation
| @@ -12,13 +12,15 @@ interface IFetchTokenRawResponse { | |||
| access_token: string; | |||
| expires_in: number; | |||
| username: string; | |||
| ssl: boolean; | |||
There was a problem hiding this comment.
I wonder if this should be ssl?: boolean?
|
Nice work @skitterm, thanks for the contribution! |
| @@ -165,6 +165,11 @@ export interface IUserSessionOptions { | |||
| */ | |||
| portal?: string; | |||
|
|
|||
| /** | |||
| * Whether requests should be made exlusively over HTTPS. | |||
| @@ -456,10 +469,14 @@ export class UserSession implements IAuthenticationManager { | |||
| Date.now() + parseInt(match[2], 10) * 1000 - 60 * 1000 | |||
| ); | |||
| const username = decodeURIComponent(match[3]); | |||
| const ssl = | |||
| win.location.href.indexOf("&ssl=true") !== -1 || | |||
There was a problem hiding this comment.
this may just be me, but .indexOf("&ssl=true") > -1 feels more readable than a double-negative.
| @@ -19,6 +19,7 @@ describe("UserSession", () => { | |||
| const session = new UserSession({ | |||
| clientId: "clientId", | |||
| redirectUri: "https://example-app.com/redirect-uri", | |||
| ssl: false, | |||
There was a problem hiding this comment.
unless i'm missing something, there's nothing a user can do in the UserSession constructor to dicate what the server is going to respond with so there's no point in including ssl as an option.
is that correct? if so, we just need to update our examples and make that clear in the API reference.
There was a problem hiding this comment.
My thinking is that ssl is an attribute of a user session, and something that would be needed by arcgis-rest-request's request methods (since they take in a UserSession/ApplicationSession as a param) to determine whether or not to force HTTPS for a request.
There was a problem hiding this comment.
I think the main risk w/ the approach in this PR is that a user can set ssl before beginOAuth() which may overwrite whatever they set.
One alternative would be that we don't let consuming apps set this and we have some kind of read-only property/fn like sslOrg that always returns what was in the redirect url parameter.
Given that we haven't thought through how request() is going to use this parameter yet, it may be safer to do the latter. That would be a much more useful signal to request(). For example, it could so it could only force SSL for requests that are made to that org.
I'm open to suggestions though.
|
awesome contribution. thank you @skitterm! |
|
Should we then remove the |
i didn't spend long with it, but the way things are set up now its necessary in order to be able to set the property internally later. |
Addresses #295.
Features
sslfield toUserSessionclass andFetchTokenresponseto/fromCredential,deserializeandtoJSONsslproperty incompleteOAuth2oauth2/tokenresponse forsslproperty inexchangeAuthorizationCodeFuture work needed (not included in this PR)
arcgis-rest-requestmethods (and other requests when authenticated) should look forsslproperty and force the URL to always be HTTPS in that caseApplicationSessionneed thissslproperty as well?UserSession.getTokenmethod need to readsslvalue?