PC-883: Re-enable CORS checks for cli redirect URI by passing token in header

Summary: CORS checks were not working as expected. Browser CORS is enabled in a complex set of circumstances and we did not hit those circumstances with our GET request. We found that we could enable CORS by adding a header to the GET request. It seems like we had plans to pass the data in the `token` header, so we are now passing the token there. In a follow up diff, we will read the data from the header in the CLI server. Then we will disable the old method of passing the accessToken through the URL. D8524 enables the new CLI path for this. Test Plan: Tested against sketchy URLs and we stopped sending over the request. We still work with localhost redirect URIs which is intended Reviewers: zasgar, vihang Reviewed By: zasgar JIRA Issues: PC-883 Differential Revision: https://phab.corp.pixielabs.ai/D8523 GitOrigin-RevId: 6b0c5ddd0450f02132d1e83c72932db0e7efa803

PC-883: Re-enable CORS checks for cli redirect URI by passing token in header
Summary: CORS checks were not working as expected. Browser CORS is enabled in a complex set of circumstances and we did not hit those circumstances with our GET request. We found that we could enable CORS by adding a header to the GET request. It seems like we had plans to pass the data in the `token` header, so we are now passing the token there. In a follow up diff, we will read the data from the header in the CLI server. Then we will disable the old method of passing the accessToken through the URL. D8524 enables the new CLI path for this. Test Plan: Tested against sketchy URLs and we stopped sending over the request. We still work with localhost redirect URIs which is intended Reviewers: zasgar, vihang Reviewed By: zasgar JIRA Issues: PC-883 Differential Revision: https://phab.corp.pixielabs.ai/D8523 GitOrigin-RevId: 6b0c5ddd0450f02132d1e83c72932db0e7efa803
b87aa62b · Phillip Kuznetsov · Copybara · 63181054 · b87aa62b
Unverified Commit b87aa62b authored 4 years ago by Phillip Kuznetsov Committed by Copybara 4 years ago
Hide whitespace changes
Inline Side-by-side

Showing

with 5 additions and 3 deletions
+5 -3
--- a/src/ui/src/pages/auth/callback.tsx
+++ b/src/ui/src/pages/auth/callback.tsx
@@ -30,9 +30,11 @@ import { BasePage } from './base';
 import { AuthCallbackMode, GetOAuthProvider } from './utils';
 import { Token } from './oauth-provider';

-const redirectGet = async (url, data) => {
+const redirectGet = async (url: string, data: { accessToken: string }) => {
+  // TODO(philkuz) (PC-883) remove the data from the query string.
  const fullURL = QueryString.stringifyUrl({ url, query: data });
-  return Axios.get(fullURL);
+  // Send token header to enable CORS check. Token is still allowed with Pixie CLI.
+  return Axios.get(fullURL, { headers: { token: data.accessToken } });
 };

 type ErrorType = 'internal' | 'auth';
@@ -154,7 +156,7 @@ export const AuthCallbackPage: React.FC = () => {
      const response = await redirectGet(redirectURI, { accessToken });
      return response.status === 200 && response.data === 'OK';
    } catch (error) {
-      handleHTTPError(error as AxiosError)
+      handleHTTPError(error as AxiosError);
      // If there's an error, we just return a failure.
      return false;
    }