-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove the access token from Redux & context #30275
Conversation
That looks good, but also, wouldn't it make it even harder for the WebUI to ever handle multiple accounts at once? |
Yes, but if we go with multiple accounts I am not sure we want to do it on the fly, but probably reload the whole page using the identity of the other account. In any case, I dont think this would belong to Redux (because we do API calls outside of a component tree), and we can do it in alternate ways. |
b5f05b4
to
7792fc1
Compare
This pull request has merge conflicts that must be resolved before it can be merged. |
8e219e1
to
a495f07
Compare
This pull request has resolved merge conflicts and is ready for review. |
This pull request has merge conflicts that must be resolved before it can be merged. |
a495f07
to
da0d9ba
Compare
This is not mutable once initially loaded, and it does not make sense to store it into Redux, and this makes it easy to expose it (when dumping the Redux content for troubleshooting, dev extension…). It is also very unpractical to require access to `store.getState` to make an API request where the only thing you need is the token. This PR: - disallows `access_token` to be stored in Redux - removes `access_token` from the identity context (this was not used) - creates a new `getAccessToken` accessor from the initial state - changes all the places using `accessToken` to use the new function - changes the `api(getState)` interface to `api()`, and update all the callsites
da0d9ba
to
92bb6d1
Compare
This pull request has resolved merge conflicts and is ready for review. |
When in the admin panel, calls to the API should not pass an `authorization` token, because the token is not valid for this scope. They should not pass a token, so the cookie authentication is used and they have access to the full scope. I prefered a `withAuthorization` parameter rather than `skipAuthorization`, so the callsite is `api(false)` rather than `api(true)` when you dont want to use the token. This was introduced in mastodon#30275
This is not mutable once initially loaded, and it does not make sense to store it into Redux, and this makes it easy to expose it (when dumping the Redux content for troubleshooting, dev extension…).
It is also very unpractical to require access to
store.getState
to make an API request where the only thing you need is the token.This PR:
access_token
to be stored in Reduxaccess_token
from the identity context (this was not used)getAccessToken
accessor from the initial stateaccessToken
to use the new functionapi(getState)
interface toapi()
, and update all the callsites