Remove the access token from Redux & context #30275
Conversation
|
That looks good, but also, wouldn't it make it even harder for the WebUI to ever handle multiple accounts at once? |
Yes, but if we go with multiple accounts I am not sure we want to do it on the fly, but probably reload the whole page using the identity of the other account. In any case, I dont think this would belong to Redux (because we do API calls outside of a component tree), and we can do it in alternate ways. |
renchap
force-pushed
the
no-access-token-in-redux
branch
from
b5f05b4
to
7792fc1
Compare
|
This pull request has merge conflicts that must be resolved before it can be merged. |
renchap
force-pushed
the
no-access-token-in-redux
branch
2 times, most recently
from
8e219e1
to
a495f07
Compare
|
This pull request has resolved merge conflicts and is ready for review. |
|
This pull request has merge conflicts that must be resolved before it can be merged. |
renchap
force-pushed
the
no-access-token-in-redux
branch
from
a495f07
to
da0d9ba
Compare
This is not mutable once initially loaded, and it does not make sense to store it into Redux, and this makes it easy to expose it (when dumping the Redux content for troubleshooting, dev extension…). It is also very unpractical to require access to `store.getState` to make an API request where the only thing you need is the token. This PR: - disallows `access_token` to be stored in Redux - removes `access_token` from the identity context (this was not used) - creates a new `getAccessToken` accessor from the initial state - changes all the places using `accessToken` to use the new function - changes the `api(getState)` interface to `api()`, and update all the callsites
renchap
force-pushed
the
no-access-token-in-redux
branch
from
da0d9ba
to
92bb6d1
Compare
|
This pull request has resolved merge conflicts and is ready for review. |
When in the admin panel, calls to the API should not pass an `authorization` token, because the token is not valid for this scope. They should not pass a token, so the cookie authentication is used and they have access to the full scope. I prefered a `withAuthorization` parameter rather than `skipAuthorization`, so the callsite is `api(false)` rather than `api(true)` when you dont want to use the token. This was introduced in mastodon#30275
This is not mutable once initially loaded, and it does not make sense to store it into Redux, and this makes it easy to expose it (when dumping the Redux content for troubleshooting, dev extension…).
It is also very unpractical to require access to
store.getStateto make an API request where the only thing you need is the token.This PR:
access_tokento be stored in Reduxaccess_tokenfrom the identity context (this was not used)getAccessTokenaccessor from the initial stateaccessTokento use the new functionapi(getState)interface toapi(), and update all the callsites