mike-jumper opened a new pull request #649: URL: https://github.com/apache/guacamole-client/pull/649
This change refactors the REST API to alternatively accept the authentication token via a `Guacamole-Token` header, and updates the JavaScript side of things to use that header instead of the old `token` parameter. The `token` parameter remains usable as an alternative means of submitting the token. With the HTTP tunnel using the tunnel UUID as its own sort of session token (to allow the communication for the tunnel to span multiple HTTP requests), these changes also refactor the HTTP tunnel to decouple its internal concept of a session from the tunnel UUID, effectively removing the HTTP tunnel's token from the URL, as well. The WebSocket tunnel has not been touched here. Part of the reason for this is that WebSocket does not provide for any means of submitting arbitrary headers along with the handshake, thus we must either continue to use the URL or use WebSocket messages. Arguably, continuing to use the WebSocket URL in this way is perfectly fine: * https://stackoverflow.com/a/65001506 * https://faqs.ably.com/is-it-secure-to-send-the-access_token-as-part-of-the-websocket-url-query-params If we decide to change this, as well, I suggest we let that be a separate pull request. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
