isso icon indicating copy to clipboard operation
isso copied to clipboard

Published 20 hours ago verified publisher icon isso-comments

Support sending custom headers (e.g. session token) in requests from Isso JS client

Open antont opened this issue 2 years ago • 2 comments

Hi - am using external authentication for users with Isso, because we embedded Isso in a system where already had user info, auth and sessions using bearer tokens.

For the Isso client side requests, like posting a new comment, I needed to add the session token to the requests. I hacked this in one way sort of ok way that works for us, by adding new Isso client param bearer-token-cookie with the name of a cookie. If that is defined, isso/js/app/api.js sets the value of that cookie to the bearer-token header. The commit for that is https://github.com/antont/isso-postgresql/commit/c2fe703f36fa1481fa2148c8b15ddfe69f0de268 (with some little fixes in later ones).

Support for this would be nice to have in Isso upstream, but I figure this would not be the way, but something more generic could do it.

For example, there could be a setting with custom header name, and the name of a client side getter function, that would work for setting any header with whatever logic.

Or perhaps the client lib could provide some way to register a some decorator / callback for customizing requests, in api.js?

Am also open to other proposals. Am doing the actual authentication in a fastapi app, with fastapi-users, where I have a proxy for the Isso API where intercept the requests and inject username, planning to set the avatar there too, and perhaps do other feats related to auth. This is related to the discussion in #240 but a different topic, in my case it seems that simply supporting custom headers in the client would allow using external user auth.

antont avatar Mar 12 '22 08:03 antont

Thanks for tagging @ix5 - just a note: AFAIK this does not necessarily affect the server side at all. Now I did it by hacking isso/js/app/api.js only in that commit, and it could be some register-extension / wrapper / custom-headers-setter hook in the js lib. The option is for the script tag in the html, could be used for that or not, also can be just a call in the embedding js to config the header info or so.

Anyway is for custom server side usage and not just a front UI issue or so, that's true.

antont avatar Mar 15 '22 12:03 antont

All I can say on this topic is that this is a prime example for the need for an extension system, both on the client and on the server.

See https://github.com/posativ/isso/issues/813

For example in the curl() function, we might pass the xhr object into an extension hook that runs before xhr.send(), as well as allow hooking onload().

Also related: https://github.com/posativ/isso/issues/105 and https://github.com/posativ/isso/pull/261

ix5 avatar Mar 21 '22 08:03 ix5