jwt,browser: allow short-expiry tokens for GETs (#4684)

This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
2025-11-22 02:35:30 -05:00 · 2017-07-24 12:46:37 -07:00
parent 4785555d34
commit ec5293ce29
7 changed files with 131 additions and 6 deletions
--- a/browser/app/js/web.js
+++ b/browser/app/js/web.js
@@ -112,6 +112,9 @@ export default class Web {
        return res
      })
  }
+  CreateURLToken() {
+    return this.makeCall('CreateURLToken')
+  }
  GetBucketPolicy(args) {
    return this.makeCall('GetBucketPolicy', args)
  }