Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
STCOR-671 handle access-control via cookies and RTR 👋 🔄 🔒 😅 (#1376)
Move auth tokens into HTTP-only cookies and implement refresh token rotation (STCOR-671) by overriding `global.fetch` and `global.XMLHttpRequest`, disabling login when cookies are disabled (STCOR-762). This functionality is implemented behind an opt-in feature-flag (STCOR-763). The core RTR logic here is largely the same as it was in PR #1346 😬 , though with several important differences: 1. No buggy service-worker 2. Handle `fetch` and `XMLHttpRequest` 3. Disable login if cookies are disabled 4. Everything is opt-in 😌 Not _everything_ in PR #1346 was awful, despite it being reverted in \#1371 😬 . The fundamental difference here is that the global `fetch` and `XMLHttpRequest` functions have been replaced 🤢 by new implementations that handle RTR instead of intercepting such requests via the service-worker proxy. This is not lovely. It is not elegant. It isn't pretty in any way, but it is extremely simple and effective. Certainly, we want to migrate away from it, but given the options we thought it was best choice in the short-term. The options: 1. Centralized fix within stripes-core by fixing the service worker. Let's be honest, I didn't get it right in #1346 and then couldn't get it right in #1361 or #1363 or #1366 or #1369. Why would anybody possibly believe that I could get it right now? 2. Decentralized fix: handle this in each UI-* repository by exporting a new function from stripes and refactoring each UI repo to leverage the new code. Probably not a big refactor, but not a small effort. 3. Centralized fix within stripes-core by overwriting `global.fetch`. Gross, but effective, and long term we can make this a decentralized approach by exporting our new `fetch` function, doing the refactor described in 2 (above), and removing the global-overwrite once all the refactoring is done. In summary: * Replaces #1340. It was gross and I really don't want to talk about it. Let us never mention it again. * Replaces #1346. It was a terrible, horrible, no good, very bad PR. Alexander hated that PR more than lima beans. Additional requirements: * Requires folio-org/stripes-connect#223 * Requires folio-org/stripes-smart-components#1397 * Requires folio-org/stripes-webpack#125 Refs STCOR-671, FOLIO-3627 (cherry picked from commit 0361353)
- Loading branch information