Skip to content

OpenConceptLab/ocl_issues#2454 | Expect 302/303 for export download#30

Merged
snyaggarwal merged 1 commit intomasterfrom
issues#2454
Apr 9, 2026
Merged

OpenConceptLab/ocl_issues#2454 | Expect 302/303 for export download#30
snyaggarwal merged 1 commit intomasterfrom
issues#2454

Conversation

@snyaggarwal
Copy link
Copy Markdown
Contributor

@snyaggarwal snyaggarwal commented Apr 6, 2026

Linked Issue

Closes OpenConceptLab/ocl_issues#2454

@snyaggarwal snyaggarwal requested a review from paynejd April 6, 2026 13:41
@snyaggarwal snyaggarwal mentioned this pull request Apr 6, 2026
Closed
paynejd
paynejd reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@paynejd paynejd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review

Overall this is a solid cleanup. The async/await migration, better error handling, and defensive filename parsing are all good improvements. A few things to flag:

Browser auto-follows the 302 — the code never actually sees it

Worth noting for future readers: in a browser environment, XHR/fetch always follows redirects transparently. So when the API returns 302→S3, the JavaScript code sees the final 200 from S3 with blob data — not a 302. That's why the status === 200 branch still handles the download. The PR title says "Expect 302/303" but really it's "expect the browser to follow a 302 and give us the blob from S3." This is correct behavior, just potentially confusing if someone reads the title and then looks for explicit 302 handling.

CORS on S3 is a prerequisite

The redirect sends the browser directly to S3. The S3 bucket must have a CORS policy allowing the oclweb2 origin, otherwise the redirected request will fail silently (caught by the catch block, but the user just sees a generic error). Worth validating this is configured before merging.

Additionally, if you want Content-Disposition from S3 to be readable by JavaScript (for the filename), the S3 CORS config needs Access-Control-Expose-Headers: Content-Disposition. Without it, the browser hides that header from JS and the fallback export.zip filename will always be used. That may be acceptable, but if you want accurate filenames, the CORS expose is needed.

Authorization header is safely stripped

On cross-origin redirect (API → S3), the browser strips custom headers like Authorization. This is fine because the S3 URL is pre-signed — auth is in the query params, not headers.

Small items

  • errorDetails: falseerrorDetails: null — good, semantically correct
  • link.remove() — fixes a DOM leak the old code had
  • setTimeout(() => revokeObjectURL, 1000) — good, prevents revoking before download starts
  • The RFC 5987 filename*=UTF-8''... parsing is a nice robustness improvement

paynejd
paynejd approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@paynejd paynejd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM assuming CORS is taken care of

@snyaggarwal snyaggarwal merged commit f835fba into master Apr 9, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paynejd paynejd paynejd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Repo Version Export Streaming causes performance issue

2 participants

@snyaggarwal @paynejd