From b87aa62bf023e17284cbaed17faf5b9f931c5ec2 Mon Sep 17 00:00:00 2001
From: Phillip Kuznetsov <pkuznetsov@pixielabs.ai>
Date: Wed, 5 May 2021 11:42:19 -0700
Subject: [PATCH] PC-883: Re-enable CORS checks for cli redirect URI by passing
 token in header

Summary:
CORS checks were not working as expected. Browser CORS is enabled in a complex set of circumstances and we did not hit those circumstances with our GET request. We found that we could enable CORS by adding a header to the GET request.
It seems like we had plans to pass the data in the `token` header, so we are now passing the token there. In a follow up diff, we will read the data from the header in the CLI server. Then we will disable the old method of passing the accessToken through the URL.

D8524 enables the new CLI path for this.

Test Plan: Tested against sketchy URLs and we stopped sending over the request. We still work with localhost redirect URIs which is intended

Reviewers: zasgar, vihang

Reviewed By: zasgar

JIRA Issues: PC-883

Differential Revision: https://phab.corp.pixielabs.ai/D8523

GitOrigin-RevId: 6b0c5ddd0450f02132d1e83c72932db0e7efa803
---
 src/ui/src/pages/auth/callback.tsx | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/ui/src/pages/auth/callback.tsx b/src/ui/src/pages/auth/callback.tsx
index 2f127c18c..2a628a0bf 100644
--- a/src/ui/src/pages/auth/callback.tsx
+++ b/src/ui/src/pages/auth/callback.tsx
@@ -30,9 +30,11 @@ import { BasePage } from './base';
 import { AuthCallbackMode, GetOAuthProvider } from './utils';
 import { Token } from './oauth-provider';
 
-const redirectGet = async (url, data) => {
+const redirectGet = async (url: string, data: { accessToken: string }) => {
+  // TODO(philkuz) (PC-883) remove the data from the query string.
   const fullURL = QueryString.stringifyUrl({ url, query: data });
-  return Axios.get(fullURL);
+  // Send token header to enable CORS check. Token is still allowed with Pixie CLI.
+  return Axios.get(fullURL, { headers: { token: data.accessToken } });
 };
 
 type ErrorType = 'internal' | 'auth';
@@ -154,7 +156,7 @@ export const AuthCallbackPage: React.FC = () => {
       const response = await redirectGet(redirectURI, { accessToken });
       return response.status === 200 && response.data === 'OK';
     } catch (error) {
-      handleHTTPError(error as AxiosError)
+      handleHTTPError(error as AxiosError);
       // If there's an error, we just return a failure.
       return false;
     }
-- 
GitLab