(core) add an access token mechanism to help with attachments in custom widgets

Summary: With this, a custom widget can render an attachment by doing: ``` const tokenInfo = await grist.docApi.getAccessToken({readOnly: true}); const img = document.getElementById('the_image'); const id = record.C[0]; // get an id of an attachment const src = `${tokenInfo.baseUrl}/attachments/${id}/download?auth=${tokenInfo.token}`; img.setAttribute('src', src) ``` The access token expires after a few mins, so if a user right-clicks on an image to save it, they may get access denied unless they refresh the page. A little awkward, but s3 pre-authorized links behave similarly and it generally isn't a deal-breaker. Test Plan: added tests Reviewers: dsagal Reviewed By: dsagal Subscribers: dsagal Differential Revision: https://phab.getgrist.com/D3488
2026-03-02 04:09:24 +00:00 · 2022-07-19 11:39:49 -04:00
parent 5c0a250309
commit dd8d2e18f5
22 changed files with 551 additions and 34 deletions
--- a/app/common/ActiveDocAPI.ts
+++ b/app/common/ActiveDocAPI.ts
@@ -4,6 +4,7 @@ import {FormulaProperties} from 'app/common/GranularAccessClause';
 import {FetchUrlOptions, UploadResult} from 'app/common/uploads';
 import {DocStateComparison, PermissionData, UserAccessData} from 'app/common/UserAPI';
 import {ParseOptions} from 'app/plugin/FileParserAPI';
+import {AccessTokenOptions, AccessTokenResult} from 'app/plugin/GristAPI';
 import {IMessage} from 'grain-rpc';

 export interface ApplyUAOptions {
@@ -316,6 +317,11 @@ export interface ActiveDocAPI {
   */
  checkAclFormula(text: string): Promise<FormulaProperties>;

+  /**
+   * Get a token for out-of-band access to the document.
+   */
+  getAccessToken(options: AccessTokenOptions): Promise<AccessTokenResult>;
+
  /**
   * Returns the full set of tableIds, with the list of colIds for each table. This is intended
   * for editing ACLs. It is only available to users who can edit ACLs, and lists all resources
--- a/app/common/gristUrls.ts
+++ b/app/common/gristUrls.ts
@@ -178,7 +178,12 @@ export function getOrgUrlInfo(newOrg: string, currentHost: string, options: OrgU
 *    localhost:8080/o/<org>
 */
 export function encodeUrl(gristConfig: Partial<GristLoadConfig>,
-                          state: IGristUrlState, baseLocation: Location | URL): string {
+                          state: IGristUrlState, baseLocation: Location | URL,
+                          options: {
+                            // make an api url - warning: just barely works, and
+                            // only for documents
+                            api?: boolean
+                          } = {}): string {
  const url = new URL(baseLocation.href);
  const parts = ['/'];

@@ -193,9 +198,14 @@ export function encodeUrl(gristConfig: Partial<GristLoadConfig>,
    }
  }

+  if (options.api) {
+    parts.push(`api/`);
+  }
  if (state.ws) { parts.push(`ws/${state.ws}/`); }
  if (state.doc) {
-    if (state.slug) {
+    if (options.api) {
+      parts.push(`docs/${encodeURIComponent(state.doc)}`);
+    } else if (state.slug) {
      parts.push(`${encodeURIComponent(state.doc)}/${encodeURIComponent(state.slug)}`);
    } else {
      parts.push(`doc/${encodeURIComponent(state.doc)}`);