Merge pull request #233 from dbmi-bgm/remove-jwt-from-headers

Remove JWT from headers

pyproject.toml

@@ -1,7 +1,7 @@
 [tool.poetry]
 # Note: Various modules refer to this system as "encoded", not "cgap-portal".
 name = "encoded"
-version = "4.0.2"
+version = "4.0.3"
 description = "Clinical Genomics Analysis Platform"
 authors = ["4DN-DCIC Team <support@4dnucleome.org>"]
 license = "MIT"

src/encoded/renderers.py

@@ -176,7 +176,9 @@ def security_tween(request):
                             # by libs/react-middleware.js which is imported by server.js and compiled into
                             # renderer.js. Is used to get access to User Info on initial web page render.
                             response.headers['X-Request-JWT'] = request.cookies.get('jwtToken','')
-                            response.headers['X-User-Info'] = json.dumps(request.user_info) # Re-ified property set in authentication.py
+                            user_info = request.user_info # Re-ified property set in authentication.py
+                            del user_info["id_token"] # Redundant - don't need this in SSR nor browser as get from X-Request-JWT.
+                            response.headers['X-User-Info'] = json.dumps(user_info)
                         else:
                             response.headers['X-Request-JWT'] = "null"
             return response

src/encoded/static/libs/react-middleware.js

@@ -83,6 +83,7 @@ const render = function (AppComponent, body, res) {
     }
 
     res.setHeader('Content-Type', 'text/html; charset=utf-8');
+    res.removeHeader("X-Request-JWT");
     //var duration = process.hrtime(start);
     //res.setHeader('X-React-duration', duration[0] * 1e6 + (duration[1] / 1000 | 0));
     return new Buffer('<!DOCTYPE html>\n' + markup);