avoid authorization error dialog with request from studio actions

- we now support that if the request has a header X-WWW-Authenticate: none then the server won't set WWW-Authenticate as part of its response headers - we set X-WWW-Authenticate: none to all XMLHttpRequest we do from studio. this causes that errors coming from api that are invoked from studio does not longer show the authentication browser dialog and show our error dialog directly - we now set WWW-Authenticate one in our general request error handling, we've adapted the code to throw authorization errors and delegate the actual response and header set to the general error handler
jsreport · Jul 3, 2023 · 650f8f8 · 650f8f8
1 parent cc49422
commit 650f8f8
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 20 deletions.
diff --git a/packages/jsreport-authentication/lib/main.js b/packages/jsreport-authentication/lib/main.js
@@ -338,13 +338,13 @@ function addPassport (reporter, app, admin, definition) {
             return next()
           }
 
-          res.setHeader('WWW-Authenticate', authSchema + ' realm=\'realm\'')
-
-          if (authInfo) {
-            return res.status(authInfo.status ? authInfo.status : 401).end(authInfo.message)
-          }
+          const authorizationError = reporter.createError(authInfo?.message != null ? authInfo.message : 'Unauthorized', {
+            statusCode: authInfo?.status != null ? authInfo.status : 401,
+            code: 'UNAUTHORIZED',
+            authorizationMessage: authInfo?.message
+          })
 
-          return res.status(401).end()
+          return next(authorizationError)
         }
 
         return next()
@@ -470,8 +470,9 @@ function configureRoutes (reporter, app, admin, definition) {
       return next()
     }
     if (!reporter.studio) {
-      res.setHeader('WWW-Authenticate', (req.authSchema || 'Basic') + ' realm=\'realm\'')
-      return res.status(401).end()
+      return next(reporter.createError('Unauthorized', {
+        code: 'UNAUTHORIZED'
+      }))
     }
 
     const viewModel = Object.assign({}, req.session.viewModel || {})
@@ -497,8 +498,7 @@ function configureRoutes (reporter, app, admin, definition) {
       }
 
       if (!reporter.studio || (req.url.indexOf('/api') > -1 || req.url.indexOf('/odata') > -1)) {
-        res.setHeader('WWW-Authenticate', (req.authSchema || 'Basic') + ' realm=\'realm\'')
-        return res.status(401).end()
+        return next(reporter.authorization.createAuthorizationError('Unauthorized'))
       }
 
       return res.redirect('/login')

diff --git a/packages/jsreport-express/lib/handleError.js b/packages/jsreport-express/lib/handleError.js
@@ -27,8 +27,11 @@ function handleError (reporter) {
     }
 
     if (err.code === 'UNAUTHORIZED') {
-      res.setHeader('WWW-Authenticate', (req.authSchema || 'Basic') + ' realm=\'realm\'')
-      res.status(statusCode != null ? statusCode : 401).end()
+      if (req.get('X-WWW-Authenticate') !== 'none') {
+        res.setHeader('WWW-Authenticate', (req.authSchema || 'Basic') + ' realm=\'realm\'')
+      }
+
+      res.status(statusCode != null ? statusCode : 401).end(err.authorizationMessage)
       return
     }
 

diff --git a/packages/jsreport-public-templates/lib/main.js b/packages/jsreport-public-templates/lib/main.js
@@ -40,10 +40,11 @@ function routes (reporter) {
     })
 
     app.get('/public-templates', (req, res, next) => {
-      reporter.documentStore.collection('templates').findOne({ readSharingToken: req.query.access_token }).then((template) => {
+      const templatesCol = reporter.documentStore.collection('templates')
+
+      templatesCol.findOne({ readSharingToken: req.query.access_token }).then((template) => {
         if (!template) {
-          res.setHeader('WWW-Authenticate', (req.authSchema || 'Basic') + ' realm=\'realm\'')
-          return res.status(401).end()
+          return res.status(401).end('Invalid access token or template is no longer shared')
         }
 
         reporter.express.render({

diff --git a/packages/jsreport-studio/src/helpers/api.js b/packages/jsreport-studio/src/helpers/api.js
@@ -57,6 +57,7 @@ methods.forEach((m) => {
     }
 
     request.set('X-Requested-With', 'XMLHttpRequest')
+    request.set('X-WWW-Authenticate', 'none')
     request.set('Expires', '-1')
     request.set('Cache-Control', 'no-cache,no-store,must-revalidate,max-age=-1,private')
 

diff --git a/...tatic/dist/client.ebcc7db81dd9fc3ddb61.js → ...tatic/dist/client.adc32d29acd06d6a3366.js b/...tatic/dist/client.ebcc7db81dd9fc3ddb61.js → ...tatic/dist/client.adc32d29acd06d6a3366.js
diff --git a/...c/dist/client.ebcc7db81dd9fc3ddb61.js.map → ...c/dist/client.adc32d29acd06d6a3366.js.map b/...c/dist/client.ebcc7db81dd9fc3ddb61.js.map → ...c/dist/client.adc32d29acd06d6a3366.js.map
diff --git a/packages/jsreport-studio/static/dist/index.html b/packages/jsreport-studio/static/dist/index.html
@@ -250,7 +250,7 @@
 </div>
 <div id="content" class="root-container container"></div>
 
-<script src="client.ebcc7db81dd9fc3ddb61.js"></script>
+<script src="client.adc32d29acd06d6a3366.js"></script>
 
 </body>
 </html>