You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The /download endpoint is called whenever we want to retrieve a file. If you're rendering an image, the browser sends the request to that download destination with some default headers. These headers do not include the x-atomic-auth headers, of course. So what happens is: we can't download files that are protected by some form of authorization.
How should we fix this?
Signed cookies
Currently, every HTTP request is signed. That gives us stateless authentication, which is cool. But browsers work like they work, so we should probably use cookies for this.
The client signs one Authentication resource. Similar to this.
This resource has a signature, signed-at, expires-at, and some agent info (publickey, subject).
This cookie is included in all requests to the main server.
We need to make sure the cookie is never sent to other domains.
Some thoughts on signed cookies:
Cookie validation can be cached server side, so it only has to be validated once. After that, we only check expiration.
Let's make sure we use the same json-ad serialization as in the websocket system.
The
/downloadendpoint is called whenever we want to retrieve a file. If you're rendering an image, the browser sends the request to that download destination with some default headers. These headers do not include thex-atomic-authheaders, of course. So what happens is: we can't download files that are protected by some form of authorization.How should we fix this?
Signed cookies
Currently, every HTTP request is signed. That gives us stateless authentication, which is cool. But browsers work like they work, so we should probably use cookies for this.
signature,signed-at,expires-at, and some agent info (publickey,subject).Some thoughts on signed cookies:
json-adserialization as in the websocket system.Add HTTP headers in a service worker proxy
@Polleps has some ideas on this.
The text was updated successfully, but these errors were encountered: