You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To improve the UX for browser downloads of resources such as reports, recordings, and templates, there should be a way for a client to request a JWT token associated with a request to download a specific resource. The client can then make a follow-up request using that token to actually download the resource, and on the second request no Authorization/X-JMX-Authorization headers (or any others) should be required - all of the required information is contained within or represented by the JWT. Generating the JWT to begin with should require the user to be authenticated. The user must also pass an authorization check before being able to download the resource - this authorization check should probably happen when the user requests the JWT token. The JWT token generator endpoint therefore must identify the requesting user (by their Authorization header), but must also identify what permissions are required for the requested resource and check that the user is authorized to perform these actions.
The text was updated successfully, but these errors were encountered:
cryostatio/cryostat-web#318 (comment)
To improve the UX for browser downloads of resources such as reports, recordings, and templates, there should be a way for a client to request a JWT token associated with a request to download a specific resource. The client can then make a follow-up request using that token to actually download the resource, and on the second request no Authorization/X-JMX-Authorization headers (or any others) should be required - all of the required information is contained within or represented by the JWT. Generating the JWT to begin with should require the user to be authenticated. The user must also pass an authorization check before being able to download the resource - this authorization check should probably happen when the user requests the JWT token. The JWT token generator endpoint therefore must identify the requesting user (by their Authorization header), but must also identify what permissions are required for the requested resource and check that the user is authorized to perform these actions.
The text was updated successfully, but these errors were encountered: