(core) add an access token mechanism to help with attachments in custom widgets

Summary: With this, a custom widget can render an attachment by doing: ``` const tokenInfo = await grist.docApi.getAccessToken({readOnly: true}); const img = document.getElementById('the_image'); const id = record.C[0]; // get an id of an attachment const src = `${tokenInfo.baseUrl}/attachments/${id}/download?auth=${tokenInfo.token}`; img.setAttribute('src', src) ``` The access token expires after a few mins, so if a user right-clicks on an image to save it, they may get access denied unless they refresh the page. A little awkward, but s3 pre-authorized links behave similarly and it generally isn't a deal-breaker. Test Plan: added tests Reviewers: dsagal Reviewed By: dsagal Subscribers: dsagal Differential Revision: https://phab.getgrist.com/D3488
2026-03-02 04:09:24 +00:00 · 2022-07-19 11:39:49 -04:00
parent 5c0a250309
commit dd8d2e18f5
22 changed files with 551 additions and 34 deletions
--- a/package.json
+++ b/package.json
@@ -41,6 +41,7 @@
    "@types/fs-extra": "5.0.4",
    "@types/image-size": "0.0.29",
    "@types/js-yaml": "3.11.2",
+    "@types/jsonwebtoken": "7.2.8",
    "@types/lodash": "4.14.117",
    "@types/lru-cache": "5.1.1",
    "@types/mime-types": "2.1.0",
@@ -119,6 +120,7 @@
    "image-size": "0.6.3",
    "jquery": "2.2.1",
    "js-yaml": "3.12.0",
+    "jsonwebtoken": "8.3.0",
    "knockout": "3.5.0",
    "locale-currency": "0.0.2",
    "lodash": "4.17.15",