Conversation
| const url = | ||
| 'net.thunderbird://accounts/new' + | ||
| `?name=${encodeURIComponent(userDisplayName)}` + | ||
| `&email=${encodeURIComponent(primaryEmail)}` + | ||
| `&token=${encodeURIComponent(data.token)}`; |
There was a problem hiding this comment.
Based on the Matrix discussions, would this be ok as a starting point for URL to unblock the Desktop part of the integration development?
There was a problem hiding this comment.
I think I'd prefer something like "net.thunderbird://add-thundermail/?…" so anyone reading the URL can immediately see what's going on. Also that avoids any potential issues if we add other "accounts" actions later on (all things named "accounts" would have to be handled in the same place, which isn't necessarily bad, but might add a few more hoops to jump through).
Note that passing the access token would only give Thunderbird access for that session, and the user would be asked to sign in again next time they started Thunderbird. If it was the refresh token instead, Thunderbird could then request the access token from the server.
There was a problem hiding this comment.
Sounds good to me! I've updated the PR with your suggested URL and passing down the refresh token instead.
| @login_required | ||
| @require_http_methods(['POST']) | ||
| def generate_desktop_connect_token(request: HttpRequest): | ||
| """Returns the OIDC access token for the Thunderbird Desktop custom | ||
| protocol connect flow. The token is fetched on-click rather than | ||
| embedded in the page to limit its exposure in the DOM.""" | ||
|
|
||
| access_token = request.session.get('oidc_access_token') | ||
| if not access_token: | ||
| return JsonResponse( | ||
| {'success': False, 'error': str(_('Authentication token not available. Please try logging in again.'))}, | ||
| status=401, | ||
| ) | ||
|
|
||
| return JsonResponse({'success': True, 'token': access_token}) |
There was a problem hiding this comment.
During today's Accounts/Mail meeting, it was suggested that the initial attempt to make the integration work was to pass in the access token as is for simplicity. In the future, we could generate a single use token of sorts encrypted using a secret that only TB Desktop and Accounts have.
I've made this as a dedicated endpoint since it leaving the access token in the window._page global wasn't a great idea.
|
|
||
| ```shell | ||
| docker compose exec backend uv run manage.py test thunderbird_accounts.client.tests | ||
| docker compose exec accounts uv run manage.py test thunderbird_accounts.mail.tests |
There was a problem hiding this comment.
Changed from client to mail since we don't have a module for client anymore
2 participants
Description of changes
POST desktop-connect/tokenendpoint that current only returns the user's access token.window.locationwith the formatted custom protocol mapping in the format that was suggested by the Desktop team.Known issues / Things to improve
Related issues
Fixes #708