-
Type:
Improvement
-
Status: Resolved
-
Priority:
Blocker
-
Resolution: Fixed
-
Affects Version/s: ADDONS_7.10, ADDONS_8.10, ADDONS_9.10
-
Component/s: Nuxeo Drive
-
Sprint:nxDrive 10.3.3
-
Story Points:3
Current Situation
Drive uses a WebView to open the acquire_token.jsp webpage. The WebView is only used for authentication.
But it has several drawbacks.
Security Reasons
The address bar is not shown.
The user cannot check the HTTPS status nor use any addon/context menu to do anything.
Maintenance and Packaging Costs
To be able to use the WebView, we need to have an up-to-date PyQt5 version. But starting with the version 5.11, packagers do not ship the WebEngine module anymore on Windows 32 bits.
So for now we are using a different PyQt5 version for Windows and for GNU/Linux and macOS, which is working. We do not want to be stuck with an old version on Windows.
Moreover the situation will not evolve, so the gap will be more and more large with the time.
Another little thing: PyQt5 with the WebEngine size is 60 Mo heavier than without. So Drive could benefit of lighter installers and lesser packaging time.
Solution
The future proof solution is to use the user's browser.
As other applications are doing for authentication (Slack, Zoom, the Mobile app and others), they just open a new tab with the authentication URL and parameters. Then the server redirects to a predefined URL with a token.
The idea is to use the custom protocol handler like we are doing with DirectEdit: nxdrive://COMMAND/ARGUMENTS.
We can simply tell the server to redirect to nxdrive://token/TOKEN.
Changes are little and simple: we are copying data from acquire_token.jsp into drive_login.jsp and do the redirection to the custom protocol.
We are only targeting the Nuxeo Drive addon, so we do not rely on a given HF and the feature is directly available to customers.
There is only one inconvenient: when the server will do the redirection, the tab will still be opened in the user's browser.
We do not have power on the browser, the user will have to close it is manually. But this is not a big deal, applications like Zoom have the same "problem".
Also we do not consider that a problem given the number of times a user will have to authenticate in Drive.
Rejected Ideas
- Drop the support for Windows 32 bits. Even if new machines comes with 64 bits support by default since some time, we still have too many people that are on 32 bits machines to drop its support.
- Apply changes into the acquire_token.jsp file. But this would imply to drop the support of old HF of the server. This is important, because as Drive supports all officially supported versions of the server, it would be difficult to set a minimum server version to high. Also, we cannot force customers to install latest HF just for Drive.
- is related to
-
NXP-25691 Add new drive_login.jsp in marketplace-drive for 10.2
-
- Resolved
-
- is required by
-
NXDRIVE-1291 Use the user's browser for authentication
-
- Resolved
-
