Bug #6899
closedSend auth token with Solr queries
0%
Description
So that private data shows up in search results
Updated by ben leinfelder over 8 years ago
I think it's probably fine to send the auth token with query requests, but I'm a little concerned that the browser session isn't providing access to private content. After all, that's how we are able to retrieve an auth token from the portal following authentication as it is. Perhaps something changed with all the proxying that happens through the search server apache config on to the cn solr index. Could we look into this together to make sure we're not adding a band aid to something that needs sutures?
Updated by Lauren Walker over 8 years ago
The token is now being sent with queries - but a bug in d1_solr_extensions needs to be ironed out and slated for d1 2.0.1 before I can test that it's all working with the UI.
Updated by Lauren Walker over 8 years ago
- Status changed from New to Resolved
Auth tokens are sent in the request header of almost all requests sent by MetacatUI now. The exceptions are requests sent to third-party services such as Bioportal and ORCID, and Metacat services like the online metadata registry. The app will need to send the initial DataCatalog or Metadata View search twice since it first will send before the token is retrieved, and then again once the token is retrieved and the user model is configured as logged-in.