(core) add an access token mechanism to help with attachments in custom widgets

Summary: With this, a custom widget can render an attachment by doing: ``` const tokenInfo = await grist.docApi.getAccessToken({readOnly: true}); const img = document.getElementById('the_image'); const id = record.C[0]; // get an id of an attachment const src = `${tokenInfo.baseUrl}/attachments/${id}/download?auth=${tokenInfo.token}`; img.setAttribute('src', src) ``` The access token expires after a few mins, so if a user right-clicks on an image to save it, they may get access denied unless they refresh the page. A little awkward, but s3 pre-authorized links behave similarly and it generally isn't a deal-breaker. Test Plan: added tests Reviewers: dsagal Reviewed By: dsagal Subscribers: dsagal Differential Revision: https://phab.getgrist.com/D3488
2026-03-02 04:09:24 +00:00 · 2022-07-19 11:39:49 -04:00
parent 5c0a250309
commit dd8d2e18f5
22 changed files with 551 additions and 34 deletions
--- a/app/plugin/GristAPI.ts
+++ b/app/plugin/GristAPI.ts
@@ -97,6 +97,11 @@ export interface GristDocAPI {
  applyUserActions(actions: any[][], options?: any): Promise<any>;
  // TODO: return type should be Promise<ApplyUAResult>, but this requires importing
  // modules from `app/common` which is not currently supported by the build.
+
+  /**
+   * Get a token for out-of-band access to the document.
+   */
+  getAccessToken(options: AccessTokenOptions): Promise<AccessTokenResult>;
 }

 /**
@@ -127,3 +132,13 @@ export interface GristView {
   */
  setSelectedRows(rowIds: number[]): Promise<void>;
 }
+
+export interface AccessTokenOptions {
+  readOnly?: boolean;   // restrict use of token to reading.
+}
+
+export interface AccessTokenResult {
+  token: string;        // token string
+  baseUrl: string;      // url of document api, like https://..../api/docs/DOCID
+  ttlMsecs: number;     // number of milliseconds token will be valid for (typically several minutes)
+}