arcgis-rest-js icon indicating copy to clipboard operation
arcgis-rest-js copied to clipboard

Published 20 hours ago verified publisher icon Esri

[RFC] What do we do when UserSession.enablePostMessageAuth happens more than once?

Open drewdaemon opened this issue 3 years ago • 1 comments

Preface

As things stand, calling enablePostMessageAuth multiple times simply adds multiple postMessage listeners to window, but disablePostMessageAuth will only remove the latest one.

There are various scenarios where you might want to call enablePostMessageAuth more than once. In Hub, it makes sense architecturally to have it our iframe wrapper component call it whenever it sees a valid origin. But, there may be multiple iframes on a page so enablePostMessageAuth may get invoked more than once.

We did the following to avoid issues:

if (allowedEmbeddedAuthOrigins.includes(iframeOrigin.toLowerCase())) {
      userSession.disablePostMessageAuth(); // always clear to avoid registering multiple listeners
      userSession.enablePostMessageAuth(allowedEmbeddedAuthOrigins);
}

Questions

  • Should enablePostMessageAuth support multiple postMessageListeners or just one at a time?
  • Would it be useful to have a flag on UserSession to check whether postMessage auth is enabled? Something like UserSession.postMessageAuthEnabled: boolean maybe?

drewdaemon avatar Mar 01 '21 15:03 drewdaemon

The solution we did for Hub works for us b/c we always call enablePostMessageAuth() w/ the same list of allowed origins (i.e. the complete list of origins that the app supports).

It gets tricky if your app calls it w/ different allowed origins each time (i.e. each iframe only calls it w/ the URL it's own src).

In discussing this w/ @andrewctate, I came to the conclusion that we do not want this library to try and do anything "smart" to handle the latter scenario (i.e. try to merge the lists, etc). The best thing I can think of for handling that scenario is rather than exposing postMessageAuthEnabled as a boolean, expose allowedOrigins: string[] so that the consuming app can check if the origin has already been registered, and if not re-call enablePostMessageAuth() with a merged list. I think that combined w/ having enablePostMessageAuth() always call disablePostMessageAuth() first will allow us to support both use cases w/o incurring the complexity of managing multiple listeners.

tomwayson avatar Mar 01 '21 16:03 tomwayson