Remove AuthMethod and add access token to RestApi

Authentication for API calls will be handled using an access token in the "Authorization: OAuth access_token" style. Browsers do not use this when making requests unless they use an XmlHttpRequest. If the value used as the access_token is not available cross-site then the API call cannot be made by hijacking attempts. Change-Id: I33654bcaa247cb95a57b03d2df112ca95e970185
2012-11-12 12:38:30 -08:00
parent e649d848dc
commit bbeb2a96e4
22 changed files with 88 additions and 146 deletions
--- a/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java
+++ b/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java
@@ -93,7 +93,7 @@ public class Gerrit implements EntryPoint {
  private static HostPageData.Theme myTheme;
  private static Account myAccount;
  private static AccountDiffPreference myAccountDiffPref;
-  private static String xsrfToken;
+  private static String accessToken;

  private static MorphingTabPanel menuLeft;
  private static LinkMenuBar menuRight;
@@ -239,6 +239,11 @@ public class Gerrit implements EntryPoint {
    return myAccount;
  }

+  /** @return access token to prove user identity during REST API calls. */
+  public static String getAccessToken() {
+    return accessToken;
+  }
+
  /** @return the currently signed in users's diff preferences; null if no diff preferences defined for the account */
  public static AccountDiffPreference getAccountDiffPreference() {
    return myAccountDiffPref;
@@ -333,7 +338,7 @@ public class Gerrit implements EntryPoint {
  static void deleteSessionCookie() {
    myAccount = null;
    myAccountDiffPref = null;
-    xsrfToken = null;
+    accessToken = null;
    refreshMenuBar();

    // If the cookie was HttpOnly, this request to delete it will
@@ -383,7 +388,7 @@ public class Gerrit implements EntryPoint {
        myTheme = result.theme;
        if (result.account != null) {
          myAccount = result.account;
-          xsrfToken = result.xsrfToken;
+          accessToken = result.accessToken;
        }
        if (result.accountDiffPref != null) {
          myAccountDiffPref = result.accountDiffPref;
@@ -530,7 +535,7 @@ public class Gerrit implements EntryPoint {
    JsonUtil.setDefaultXsrfManager(new XsrfManager() {
      @Override
      public String getToken(JsonDefTarget proxy) {
-        return xsrfToken;
+        return accessToken;
      }

      @Override
--- a/gerrit-gwtui/src/main/java/com/google/gerrit/client/rpc/RestApi.java
+++ b/gerrit-gwtui/src/main/java/com/google/gerrit/client/rpc/RestApi.java
@@ -14,6 +14,7 @@

 package com.google.gerrit.client.rpc;

+import com.google.gerrit.client.Gerrit;
 import com.google.gerrit.client.RpcStatus;
 import com.google.gwt.core.client.GWT;
 import com.google.gwt.core.client.JavaScriptObject;
@@ -161,6 +162,9 @@ public class RestApi {
  public <T extends JavaScriptObject> void send(final AsyncCallback<T> cb) {
    RequestBuilder req = new RequestBuilder(RequestBuilder.GET, url.toString());
    req.setHeader("Accept", JsonConstants.JSON_TYPE);
+    if (Gerrit.getAccessToken() != null) {
+      req.setHeader("Authorization", "OAuth " + Gerrit.getAccessToken());
+    }
    req.setCallback(new MyRequestCallback<T>(cb));
    try {
      RpcStatus.INSTANCE.onRpcStart();