(core) add an access token mechanism to help with attachments in custom widgets

Summary: With this, a custom widget can render an attachment by doing: ``` const tokenInfo = await grist.docApi.getAccessToken({readOnly: true}); const img = document.getElementById('the_image'); const id = record.C[0]; // get an id of an attachment const src = `${tokenInfo.baseUrl}/attachments/${id}/download?auth=${tokenInfo.token}`; img.setAttribute('src', src) ``` The access token expires after a few mins, so if a user right-clicks on an image to save it, they may get access denied unless they refresh the page. A little awkward, but s3 pre-authorized links behave similarly and it generally isn't a deal-breaker. Test Plan: added tests Reviewers: dsagal Reviewed By: dsagal Subscribers: dsagal Differential Revision: https://phab.getgrist.com/D3488
2026-03-02 04:09:24 +00:00 · 2022-07-19 11:39:49 -04:00
parent 5c0a250309
commit dd8d2e18f5
22 changed files with 551 additions and 34 deletions
--- a/app/plugin/GristAPI-ti.ts
+++ b/app/plugin/GristAPI-ti.ts
@@ -18,6 +18,7 @@ export const GristDocAPI = t.iface([], {
  "listTables": t.func(t.array("string")),
  "fetchTable": t.func("any", t.param("tableId", "string")),
  "applyUserActions": t.func("any", t.param("actions", t.array(t.array("any"))), t.param("options", "any", true)),
+  "getAccessToken": t.func("AccessTokenResult", t.param("options", "AccessTokenOptions")),
 });

 export const GristView = t.iface([], {
@@ -27,10 +28,22 @@ export const GristView = t.iface([], {
  "setSelectedRows": t.func("void", t.param("rowIds", t.array("number"))),
 });

+export const AccessTokenOptions = t.iface([], {
+  "readOnly": t.opt("boolean"),
+});
+
+export const AccessTokenResult = t.iface([], {
+  "token": "string",
+  "baseUrl": "string",
+  "ttlMsecs": "number",
+});
+
 const exportedTypeSuite: t.ITypeSuite = {
  ComponentKind,
  GristAPI,
  GristDocAPI,
  GristView,
+  AccessTokenOptions,
+  AccessTokenResult,
 };
 export default exportedTypeSuite;