On Wed, Mar 1, 2023 at 8:16 PM Ankit Raibole <[email protected]>
wrote:
> Hello Dev team,
>
> My doubt is regarding passing the authToken in the header instead of query
> parameters.
> Currently, I am passing the authToken as query params like
> "{guacServerURL}/#client/{connectionId}/token?{authToken}". and changing
> the current window.location.href to this one and it works fine as VM i am
> able to connect to the VM.
> But now I want to pass it in headers, I referred to this PR:
> https://github.com/apache/guacamole-client/pull/649 , and we can't send
> headers in href or window.open. So i tried making GET call (used ajax,
> fetch, XMLHTTP to pass the token in headers) for this URL and generating
> the page with the response. But then it is not working as it gives 403.
> How should i proceed?
>
You cannot pass the "Guacamole-Token" header in a request for static
content and have that header have any impact on whether future requests to
the REST API, etc. are properly authenticated.
The webapp only reads tokens from the "token" query parameter or
"Guacamole-Token" header from authenticated parts of the application: the
REST API and tunnel endpoints. Everything else is static content
implementing a single-page app that leverages JavaScript and the
application's REST API for all dynamic functionality. When you pass the
"token" query parameter to the UI portion of the application via the URL
visible in the browser, that JavaScript is actually manually copying that
token and using it for its REST and tunnel requests, hence why that works.
It is not possible for JavaScript within the page to read HTTP headers
involved in the GET request for that same page.
- Mike
