ATiC to ATaP migration
We introduced Access Token in Cookie (ATiC) to work around limitations of using simple GET requests against the API. While this worked for the longest time, current version of Firefox does not send cookies in cross-site requests as part of Enhanced Tracking Protection feature. Chrome sends those cookies.
This ticket is to start migrating away from ATiC approach and use Access Token as Parameter. The migration steps will be as follows:
- Rename
AccessTokenInCookieFilter
toAccessTokenAsParameterFilter
- Update
AccessTokenAsParameterFilter
to first check if the method isPOST
, then look foraccess_token
parameter in the form body -- but not in the URL query string!- If the the parameter name appears in query string throw
400 Bad request
- If the the parameter name appears in query string throw
- If found, extract the token and apply it the same way we apply it in the current filter
- If possible, remove the
access_token
parameter from the form - Send back the cookie
- If possible, remove the
- If no such parameter is found, then proceed with the current logic, including sending back the cookie
After we upgrade the client applications, we can:
- Stop sending back the cookie in phase 1, and
- Stop looking for the cookie in phase 2.
Genesys UI and Embedded Genesys
These both need updating to not rely on ATiC when making direct requests to the API (i.e. without axios and its authentication).
- Set
withCredentials: false
for axios, that will stop sending and receiving cookies. - Add access token as a parameter to forms
- Change remaining GET requests to POSTs.